From 2406eefd390eb9b2bcc65c28345b9ac686288a30 Mon Sep 17 00:00:00 2001
From: Alex Tselegidis <alextselegidis@gmail.com>
Date: Sat, 6 Nov 2021 13:30:12 +0100
Subject: [PATCH] Added validation to the sort direction value

---
 application/libraries/Api.php | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/application/libraries/Api.php b/application/libraries/Api.php
index 9b5a786d..c851527c 100644
--- a/application/libraries/Api.php
+++ b/application/libraries/Api.php
@@ -253,7 +253,14 @@ class Api {
 
             $db_field = $this->model->db_field($api_field);
 
-            $direction = substr($sort_token, 0, 1) === '-' ? 'DESC' : 'ASC';
+            $direction_operator = substr($sort_token, 0, 1);
+
+            if ( ! in_array($direction_operator, ['-', '+']))
+            {
+                throw new InvalidArgumentException('Invalid sort direction operator provided (expected "-" or "+"): ' . $direction_operator);
+            }
+
+            $direction = $direction_operator === '-' ? 'DESC' : 'ASC';
 
             $order_by[] = $db_field . ' ' . $direction;
         }