Add basic sanitisation to subscriber query expressions
This commit is contained in:
parent
69e5e351e0
commit
bcf35bf670
|
@ -76,7 +76,7 @@ func handleQuerySubscribers(c echo.Context) error {
|
|||
listID, _ = strconv.Atoi(c.FormValue("list_id"))
|
||||
|
||||
// The "WHERE ?" bit.
|
||||
query = c.FormValue("query")
|
||||
query = sanitizeSQLExp(c.FormValue("query"))
|
||||
out subsWrap
|
||||
)
|
||||
|
||||
|
@ -347,7 +347,7 @@ func handleDeleteSubscribersByQuery(c echo.Context) error {
|
|||
return err
|
||||
}
|
||||
|
||||
err := app.Queries.execSubscriberQueryTpl(req.Query,
|
||||
err := app.Queries.execSubscriberQueryTpl(sanitizeSQLExp(req.Query),
|
||||
app.Queries.DeleteSubscribersByQuery,
|
||||
req.ListIDs, app.DB)
|
||||
if err != nil {
|
||||
|
@ -370,7 +370,7 @@ func handleBlacklistSubscribersByQuery(c echo.Context) error {
|
|||
return err
|
||||
}
|
||||
|
||||
err := app.Queries.execSubscriberQueryTpl(req.Query,
|
||||
err := app.Queries.execSubscriberQueryTpl(sanitizeSQLExp(req.Query),
|
||||
app.Queries.BlacklistSubscribersByQuery,
|
||||
req.ListIDs, app.DB)
|
||||
if err != nil {
|
||||
|
@ -409,7 +409,7 @@ func handleManageSubscriberListsByQuery(c echo.Context) error {
|
|||
return echo.NewHTTPError(http.StatusBadRequest, "Invalid action.")
|
||||
}
|
||||
|
||||
err := app.Queries.execSubscriberQueryTpl(req.Query, stmt, req.ListIDs, app.DB, req.TargetListIDs)
|
||||
err := app.Queries.execSubscriberQueryTpl(sanitizeSQLExp(req.Query), stmt, req.ListIDs, app.DB, req.TargetListIDs)
|
||||
if err != nil {
|
||||
return echo.NewHTTPError(http.StatusBadRequest,
|
||||
fmt.Sprintf("Error: %v", err))
|
||||
|
@ -417,3 +417,18 @@ func handleManageSubscriberListsByQuery(c echo.Context) error {
|
|||
|
||||
return c.JSON(http.StatusOK, okResp{true})
|
||||
}
|
||||
|
||||
// sanitizeSQLExp does basic sanitisation on arbitrary
|
||||
// SQL query expressions coming from the frontend.
|
||||
func sanitizeSQLExp(q string) string {
|
||||
if len(q) == 0 {
|
||||
return ""
|
||||
}
|
||||
q = strings.TrimSpace(q)
|
||||
|
||||
// Remove semicolon suffix.
|
||||
if q[len(q)-1] == ';' {
|
||||
q = q[:len(q)-1]
|
||||
}
|
||||
return q
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue