Skip to content

Fix bypass via nested query parameters#420

Merged
tudor-timcu merged 1 commit into
mainfrom
fix/recursive-array-serialization-nested-bypass
May 21, 2026
Merged

Fix bypass via nested query parameters#420
tudor-timcu merged 1 commit into
mainfrom
fix/recursive-array-serialization-nested-bypass

Conversation

@PopoviciMarian
Copy link
Copy Markdown
Contributor

@PopoviciMarian PopoviciMarian commented Apr 30, 2026
edited by aikido-pr-checks Bot
Loading

Make ArrayToJson recursive so all string leaf values are included regardless of nesting depth. Add tests for nested GET and POST parameter injection.

Summary by Aikido

Security Issues: 0 🔍 Quality Issues: 2 Resolved Issues: 0

⚡ Enhancements

  • Added ZvalToJsonValue helper with depth limit and type checks

🐛 Bugfixes

  • Fixed nested query parameter bypass by making ArrayToJson recursive

More info

aikido-pr-checks[bot]
aikido-pr-checks Bot reviewed Apr 30, 2026
View reviewed changes
Comment thread lib/php-extension/Utils.cpp
aikido-pr-checks[bot]
aikido-pr-checks Bot reviewed Apr 30, 2026
View reviewed changes
Comment thread lib/php-extension/Utils.cpp
aikido-pr-checks[bot]
aikido-pr-checks Bot reviewed Apr 30, 2026
View reviewed changes
Comment thread lib/php-extension/Utils.cpp
aikido-pr-checks[bot]
aikido-pr-checks Bot reviewed Apr 30, 2026
View reviewed changes
Comment thread lib/php-extension/Utils.cpp
@tudor-timcu tudor-timcu merged commit 81a1e5e into main May 21, 2026
476 of 477 checks passed
@tudor-timcu tudor-timcu deleted the fix/recursive-array-serialization-nested-bypass branch May 21, 2026 14:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tudor-timcu tudor-timcu tudor-timcu approved these changes

+1 more reviewer

@aikido-pr-checks aikido-pr-checks[bot] aikido-pr-checks[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@PopoviciMarian @tudor-timcu