Add basic sanitisation to subscriber query expressions

This commit is contained in:
Kailash Nadh 2019-07-04 17:40:55 +05:30
parent 69e5e351e0
commit bcf35bf670

View file

@ -76,7 +76,7 @@ func handleQuerySubscribers(c echo.Context) error {
listID, _ = strconv.Atoi(c.FormValue("list_id")) listID, _ = strconv.Atoi(c.FormValue("list_id"))
// The "WHERE ?" bit. // The "WHERE ?" bit.
query = c.FormValue("query") query = sanitizeSQLExp(c.FormValue("query"))
out subsWrap out subsWrap
) )
@ -347,7 +347,7 @@ func handleDeleteSubscribersByQuery(c echo.Context) error {
return err return err
} }
err := app.Queries.execSubscriberQueryTpl(req.Query, err := app.Queries.execSubscriberQueryTpl(sanitizeSQLExp(req.Query),
app.Queries.DeleteSubscribersByQuery, app.Queries.DeleteSubscribersByQuery,
req.ListIDs, app.DB) req.ListIDs, app.DB)
if err != nil { if err != nil {
@ -370,7 +370,7 @@ func handleBlacklistSubscribersByQuery(c echo.Context) error {
return err return err
} }
err := app.Queries.execSubscriberQueryTpl(req.Query, err := app.Queries.execSubscriberQueryTpl(sanitizeSQLExp(req.Query),
app.Queries.BlacklistSubscribersByQuery, app.Queries.BlacklistSubscribersByQuery,
req.ListIDs, app.DB) req.ListIDs, app.DB)
if err != nil { if err != nil {
@ -409,7 +409,7 @@ func handleManageSubscriberListsByQuery(c echo.Context) error {
return echo.NewHTTPError(http.StatusBadRequest, "Invalid action.") return echo.NewHTTPError(http.StatusBadRequest, "Invalid action.")
} }
err := app.Queries.execSubscriberQueryTpl(req.Query, stmt, req.ListIDs, app.DB, req.TargetListIDs) err := app.Queries.execSubscriberQueryTpl(sanitizeSQLExp(req.Query), stmt, req.ListIDs, app.DB, req.TargetListIDs)
if err != nil { if err != nil {
return echo.NewHTTPError(http.StatusBadRequest, return echo.NewHTTPError(http.StatusBadRequest,
fmt.Sprintf("Error: %v", err)) fmt.Sprintf("Error: %v", err))
@ -417,3 +417,18 @@ func handleManageSubscriberListsByQuery(c echo.Context) error {
return c.JSON(http.StatusOK, okResp{true}) return c.JSON(http.StatusOK, okResp{true})
} }
// sanitizeSQLExp does basic sanitisation on arbitrary
// SQL query expressions coming from the frontend.
func sanitizeSQLExp(q string) string {
if len(q) == 0 {
return ""
}
q = strings.TrimSpace(q)
// Remove semicolon suffix.
if q[len(q)-1] == ';' {
q = q[:len(q)-1]
}
return q
}