Add basic sanitisation to subscriber query expressions

This commit is contained in:
Kailash Nadh 2019-07-04 17:40:55 +05:30
parent 69e5e351e0
commit bcf35bf670

View file

@ -76,7 +76,7 @@ func handleQuerySubscribers(c echo.Context) error {
listID, _ = strconv.Atoi(c.FormValue("list_id"))
// The "WHERE ?" bit.
query = c.FormValue("query")
query = sanitizeSQLExp(c.FormValue("query"))
out subsWrap
)
@ -347,7 +347,7 @@ func handleDeleteSubscribersByQuery(c echo.Context) error {
return err
}
err := app.Queries.execSubscriberQueryTpl(req.Query,
err := app.Queries.execSubscriberQueryTpl(sanitizeSQLExp(req.Query),
app.Queries.DeleteSubscribersByQuery,
req.ListIDs, app.DB)
if err != nil {
@ -370,7 +370,7 @@ func handleBlacklistSubscribersByQuery(c echo.Context) error {
return err
}
err := app.Queries.execSubscriberQueryTpl(req.Query,
err := app.Queries.execSubscriberQueryTpl(sanitizeSQLExp(req.Query),
app.Queries.BlacklistSubscribersByQuery,
req.ListIDs, app.DB)
if err != nil {
@ -409,7 +409,7 @@ func handleManageSubscriberListsByQuery(c echo.Context) error {
return echo.NewHTTPError(http.StatusBadRequest, "Invalid action.")
}
err := app.Queries.execSubscriberQueryTpl(req.Query, stmt, req.ListIDs, app.DB, req.TargetListIDs)
err := app.Queries.execSubscriberQueryTpl(sanitizeSQLExp(req.Query), stmt, req.ListIDs, app.DB, req.TargetListIDs)
if err != nil {
return echo.NewHTTPError(http.StatusBadRequest,
fmt.Sprintf("Error: %v", err))
@ -417,3 +417,18 @@ func handleManageSubscriberListsByQuery(c echo.Context) error {
return c.JSON(http.StatusOK, okResp{true})
}
// sanitizeSQLExp does basic sanitisation on arbitrary
// SQL query expressions coming from the frontend.
func sanitizeSQLExp(q string) string {
if len(q) == 0 {
return ""
}
q = strings.TrimSpace(q)
// Remove semicolon suffix.
if q[len(q)-1] == ';' {
q = q[:len(q)-1]
}
return q
}