SQL Injection about expose HOT 8 OPEN

@enygma Have not tested the below, but would using array_walk_recursive() suffice for the above? We may want to also check that recursion is being done in other areas as well.
[ DEMO ]

src/Expose/Manager.php

        // try to clean up standard filter bypass methods
        array_walk_recursive($data, [new \Expose\Converter\Converter, 'runAllConversions']);

        $path = array();
        // ...

src/Expose/Converter/Converter.php

    public function runAllConversions(&$value)
    {
        // ...
        // return $value;

Might I suggest running the rules against https://github.com/minimaxir/big-list-of-naughty-strings as part of the unit tests?

Also on a side-note, would you be interested in a Python3 port of Expose?

from expose.

@yehgdotnet what was the downvote for? Did the code not work or is the rule itself broken?

from expose.

Yes, it should detect SQLi as per filter_rules.json#L517-L529. If not, then the filter may have gotten broken. I had opened #58 in hopes of having better quality checks on new/old/modified rules.

from expose.

Because this rule does not include ' char?

from expose.

@tranba quotes are normalized here src/Expose/Converter/ConvertMisc.php#L80-L94 if that is not done then the patterns would be overly complex with having to match each and every variation of quote use.

from expose.

@quantumpacket I've found a problem in the run function:

Convert only apply to the first level of data array, then for example
$data = array(
'POST' = array('dirty' => " a ' or 1 = 1")
)
will bypass

from expose.

Seems anything' OR '1'='1 doesn't match with rules

Below are matched:

a' or 1=1;#
a' or 1=1;--

from expose.

@yehgdotnet what was the downvote for? Did the code not work or is the rule itself broken?

wrong click, was too sleepy, cheers

from expose.