mirror of
https://github.com/knadh/listmonk.git
synced 2025-01-07 23:12:04 +08:00
Add basic sanitisation to subscriber query expressions
This commit is contained in:
parent
69e5e351e0
commit
bcf35bf670
1 changed files with 19 additions and 4 deletions
|
@ -76,7 +76,7 @@ func handleQuerySubscribers(c echo.Context) error {
|
||||||
listID, _ = strconv.Atoi(c.FormValue("list_id"))
|
listID, _ = strconv.Atoi(c.FormValue("list_id"))
|
||||||
|
|
||||||
// The "WHERE ?" bit.
|
// The "WHERE ?" bit.
|
||||||
query = c.FormValue("query")
|
query = sanitizeSQLExp(c.FormValue("query"))
|
||||||
out subsWrap
|
out subsWrap
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -347,7 +347,7 @@ func handleDeleteSubscribersByQuery(c echo.Context) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
err := app.Queries.execSubscriberQueryTpl(req.Query,
|
err := app.Queries.execSubscriberQueryTpl(sanitizeSQLExp(req.Query),
|
||||||
app.Queries.DeleteSubscribersByQuery,
|
app.Queries.DeleteSubscribersByQuery,
|
||||||
req.ListIDs, app.DB)
|
req.ListIDs, app.DB)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -370,7 +370,7 @@ func handleBlacklistSubscribersByQuery(c echo.Context) error {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
err := app.Queries.execSubscriberQueryTpl(req.Query,
|
err := app.Queries.execSubscriberQueryTpl(sanitizeSQLExp(req.Query),
|
||||||
app.Queries.BlacklistSubscribersByQuery,
|
app.Queries.BlacklistSubscribersByQuery,
|
||||||
req.ListIDs, app.DB)
|
req.ListIDs, app.DB)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -409,7 +409,7 @@ func handleManageSubscriberListsByQuery(c echo.Context) error {
|
||||||
return echo.NewHTTPError(http.StatusBadRequest, "Invalid action.")
|
return echo.NewHTTPError(http.StatusBadRequest, "Invalid action.")
|
||||||
}
|
}
|
||||||
|
|
||||||
err := app.Queries.execSubscriberQueryTpl(req.Query, stmt, req.ListIDs, app.DB, req.TargetListIDs)
|
err := app.Queries.execSubscriberQueryTpl(sanitizeSQLExp(req.Query), stmt, req.ListIDs, app.DB, req.TargetListIDs)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return echo.NewHTTPError(http.StatusBadRequest,
|
return echo.NewHTTPError(http.StatusBadRequest,
|
||||||
fmt.Sprintf("Error: %v", err))
|
fmt.Sprintf("Error: %v", err))
|
||||||
|
@ -417,3 +417,18 @@ func handleManageSubscriberListsByQuery(c echo.Context) error {
|
||||||
|
|
||||||
return c.JSON(http.StatusOK, okResp{true})
|
return c.JSON(http.StatusOK, okResp{true})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// sanitizeSQLExp does basic sanitisation on arbitrary
|
||||||
|
// SQL query expressions coming from the frontend.
|
||||||
|
func sanitizeSQLExp(q string) string {
|
||||||
|
if len(q) == 0 {
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
q = strings.TrimSpace(q)
|
||||||
|
|
||||||
|
// Remove semicolon suffix.
|
||||||
|
if q[len(q)-1] == ';' {
|
||||||
|
q = q[:len(q)-1]
|
||||||
|
}
|
||||||
|
return q
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue