From 13672bccf4022edfdfdbef8ff490345e8e73c3d8 Mon Sep 17 00:00:00 2001
From: Hank Grabowski <hankgrabowski@gmail.com>
Date: Tue, 28 Feb 2023 13:10:45 -0500
Subject: [PATCH] Only allow explicitly known order types through

---
 src/Module/BaseApi.php | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/Module/BaseApi.php b/src/Module/BaseApi.php
index bfcb95eb2e..2be5c246a2 100644
--- a/src/Module/BaseApi.php
+++ b/src/Module/BaseApi.php
@@ -129,7 +129,18 @@ class BaseApi extends BaseModule
 				$condition = DBA::mergeConditions($condition, ["`uri-id` > ?", intval($request['min_id'])]);
 			}
 		} else {
-			$order_field = $requested_order;
+			switch ($requested_order) {
+				case TimelineOrderByTypes::RECEIVED:
+				case TimelineOrderByTypes::CHANGED:
+				case TimelineOrderByTypes::EDITED:
+				case TimelineOrderByTypes::CREATED:
+				case TimelineOrderByTypes::COMMENTED:
+					$order_field = $requested_order;
+					break;
+				default:
+					throw new \Exception("Unrecognized request order: $requested_order");
+			}
+
 			if (!empty($request['max_id'])) {
 				$condition = DBA::mergeConditions($condition, ["`$order_field` < ?", DateTimeFormat::convert($request['max_id'], DateTimeFormat::MYSQL)]);
 			}