SA-CORE-2024-008 by mcdruid, fabianx, poker10, larowlan, longwave, alexpott

core/lib/Drupal/Core/Database/Query/Select.php

@@ -800,6 +800,15 @@ class Select extends Query implements SelectInterface {
    * {@inheritdoc}
    */
   public function __toString() {
+    if (!is_array($this->fields) ||
+      !is_array($this->expressions) ||
+      !is_array($this->tables) ||
+      !is_array($this->order) ||
+      !is_array($this->group) ||
+      !is_array($this->union)) {
+      throw new \UnexpectedValueException();
+    }
+
     // For convenience, we compile the query ourselves if the caller forgot
     // to do it. This allows constructs like "(string) $query" to work. When
     // the query will be executed, it will be recompiled using the proper

core/lib/Drupal/Core/Database/Query/Update.php

@@ -146,6 +146,12 @@ class Update extends Query implements ConditionInterface {
    *   The prepared statement.
    */
   public function __toString() {
+    if (!is_array($this->fields) ||
+      !is_array($this->arguments) ||
+      !is_array($this->expressionFields)) {
+      throw new \UnexpectedValueException();
+    }
+
     // Create a sanitized comment string to prepend to the query.
     $comments = $this->connection->makeComment($this->comments);
 

core/lib/Drupal/Core/Database/StatementPrefetch.php

@@ -6,6 +6,7 @@ namespace Drupal\Core\Database;
 
 use Drupal\Core\Database\Event\StatementExecutionEndEvent;
 use Drupal\Core\Database\Event\StatementExecutionStartEvent;
+use Drupal\Core\Site\Settings;
 
 /**
  * An implementation of StatementInterface that pre-fetches all data.
@@ -344,6 +345,15 @@ class StatementPrefetch implements \Iterator, StatementInterface {
             $class_name = $this->fetchOptions['class'];
           }
           if (count($this->fetchOptions['constructor_args'])) {
+            // Verify the current db connection to avoid this code being called
+            // in an inappropriate context.
+            $defaults = ['sqlite', 'oracle'];
+            $extras = Settings::get('database_statement_prefetch_valid_db_drivers', []);
+            $valid_db_drivers = array_merge($defaults, $extras);
+            $db_connection_options = Database::getConnection()->getConnectionOptions();
+            if (!in_array($db_connection_options['driver'], $valid_db_drivers)) {
+              throw new \BadMethodCallException();
+            }
             $reflector = new \ReflectionClass($class_name);
             $result = $reflector->newInstanceArgs($this->fetchOptions['constructor_args']);
           }

core/lib/Drupal/Core/DependencyInjection/DependencySerializationTrait.php

@@ -17,7 +17,7 @@ trait DependencySerializationTrait {
    * @var array
    */
   // phpcs:ignore Drupal.Classes.PropertyDeclaration, Drupal.NamingConventions.ValidVariableName.LowerCamelName
-  protected $_serviceIds = [];
+  protected array $_serviceIds = [];
 
   /**
    * An array of entity type IDs keyed by the property name of their storages.
@@ -25,7 +25,7 @@ trait DependencySerializationTrait {
    * @var array
    */
   // phpcs:ignore Drupal.Classes.PropertyDeclaration, Drupal.NamingConventions.ValidVariableName.LowerCamelName
-  protected $_entityStorages = [];
+  protected array $_entityStorages = [];
 
   /**
    * {@inheritdoc}

core/lib/Drupal/Core/Template/Attribute.php

@@ -73,7 +73,7 @@ class Attribute implements \ArrayAccess, \IteratorAggregate, MarkupInterface {
    *
    * @var \Drupal\Core\Template\AttributeValueBase[]
    */
-  protected $storage = [];
+  protected array $storage = [];
 
   /**
    * Constructs a \Drupal\Core\Template\Attribute object.

core/modules/sqlite/src/Driver/Database/sqlite/Connection.php

@@ -61,7 +61,7 @@ class Connection extends DatabaseConnection implements SupportsTemporaryTablesIn
    *
    * @var array
    */
-  protected $attachedDatabases = [];
+  protected array $attachedDatabases = [];
 
   /**
    * Whether or not a table has been dropped this request.