From bcf35bf6705a3293e63d23b9d5fac5728000f384 Mon Sep 17 00:00:00 2001
From: Kailash Nadh <kailash@nadh.in>
Date: Thu, 4 Jul 2019 17:40:55 +0530
Subject: [PATCH] Add basic sanitisation to subscriber query expressions

---
 subscribers.go | 23 +++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/subscribers.go b/subscribers.go
index fa51956..b447e1a 100644
--- a/subscribers.go
+++ b/subscribers.go
@@ -76,7 +76,7 @@ func handleQuerySubscribers(c echo.Context) error {
 		listID, _ = strconv.Atoi(c.FormValue("list_id"))
 
 		// The "WHERE ?" bit.
-		query = c.FormValue("query")
+		query = sanitizeSQLExp(c.FormValue("query"))
 		out   subsWrap
 	)
 
@@ -347,7 +347,7 @@ func handleDeleteSubscribersByQuery(c echo.Context) error {
 		return err
 	}
 
-	err := app.Queries.execSubscriberQueryTpl(req.Query,
+	err := app.Queries.execSubscriberQueryTpl(sanitizeSQLExp(req.Query),
 		app.Queries.DeleteSubscribersByQuery,
 		req.ListIDs, app.DB)
 	if err != nil {
@@ -370,7 +370,7 @@ func handleBlacklistSubscribersByQuery(c echo.Context) error {
 		return err
 	}
 
-	err := app.Queries.execSubscriberQueryTpl(req.Query,
+	err := app.Queries.execSubscriberQueryTpl(sanitizeSQLExp(req.Query),
 		app.Queries.BlacklistSubscribersByQuery,
 		req.ListIDs, app.DB)
 	if err != nil {
@@ -409,7 +409,7 @@ func handleManageSubscriberListsByQuery(c echo.Context) error {
 		return echo.NewHTTPError(http.StatusBadRequest, "Invalid action.")
 	}
 
-	err := app.Queries.execSubscriberQueryTpl(req.Query, stmt, req.ListIDs, app.DB, req.TargetListIDs)
+	err := app.Queries.execSubscriberQueryTpl(sanitizeSQLExp(req.Query), stmt, req.ListIDs, app.DB, req.TargetListIDs)
 	if err != nil {
 		return echo.NewHTTPError(http.StatusBadRequest,
 			fmt.Sprintf("Error: %v", err))
@@ -417,3 +417,18 @@ func handleManageSubscriberListsByQuery(c echo.Context) error {
 
 	return c.JSON(http.StatusOK, okResp{true})
 }
+
+// sanitizeSQLExp does basic sanitisation on arbitrary
+// SQL query expressions coming from the frontend.
+func sanitizeSQLExp(q string) string {
+	if len(q) == 0 {
+		return ""
+	}
+	q = strings.TrimSpace(q)
+
+	// Remove semicolon suffix.
+	if q[len(q)-1] == ';' {
+		q = q[:len(q)-1]
+	}
+	return q
+}