fix: remove sql injection

2025-04-03 20:47:35 +03:00 · 2020-03-25 20:33:32 -04:00 · 2020-03-25 20:33:32 -04:00 · 5331732236
commit 5331732236
parent dc973ae670
5 changed files with 43 additions and 11 deletions
--- a/persistence/album_repository.go
+++ b/persistence/album_repository.go
@ -35,10 +35,13 @@ func NewAlbumRepository(ctx context.Context, o orm.Ormer) model.AlbumRepository
 }

 func artistFilter(field string, value interface{}) Sqlizer {
-	return Or{
-		exist("from media_file where album.id = media_file.album_id and media_file.artist_id='" + value.(string) + "'"),
-		exist("from media_file where album.id = media_file.album_id and media_file.album_artist_id='" + value.(string) + "'"),
-	}
+	return Exists("media_file", And{
+		ConcatExpr("album_id=album.id"),
+		Or{
+			Eq{"artist_id": value},
+			Eq{"album_artist_id": value},
+		},
+	})
 }

 func (r *albumRepository) CountAll(options ...model.QueryOptions) (int64, error) {
--- a/persistence/artist_repository_test.go
+++ b/persistence/artist_repository_test.go
@ -24,7 +24,7 @@ var _ = Describe("ArtistRepository", func() {
 		})
 	})

-	Describe("Exist", func() {
+	Describe("Exists", func() {
 		It("returns true for an artist that is in the DB", func() {
 			Expect(repo.Exists("3")).To(BeTrue())
 		})
--- a/persistence/helpers.go
+++ b/persistence/helpers.go
@ -5,6 +5,8 @@ import (
 	"fmt"
 	"regexp"
 	"strings"
+
+	"github.com/Masterminds/squirrel"
 )

 func toSqlArgs(rec interface{}) (map[string]interface{}, error) {
@ -33,9 +35,17 @@ func toSnakeCase(str string) string {
 	return strings.ToLower(snake)
 }

-type exist string
-
-func (e exist) ToSql() (string, []interface{}, error) {
-	sql := fmt.Sprintf("exists (select 1 %s)", e)
-	return sql, nil, nil
+func Exists(subTable string, cond squirrel.Sqlizer) exists {
+	return exists{subTable: subTable, cond: cond}
+}
+
+type exists struct {
+	subTable string
+	cond     squirrel.Sqlizer
+}
+
+func (e exists) ToSql() (string, []interface{}, error) {
+	sql, args, err := e.cond.ToSql()
+	sql = fmt.Sprintf("exists (select 1 from %s where %s)", e.subTable, sql)
+	return sql, args, err
 }
--- a/persistence/helpers_test.go
+++ b/persistence/helpers_test.go
@ -0,0 +1,19 @@
+package persistence
+
+import (
+	"github.com/Masterminds/squirrel"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Helpers", func() {
+	Describe("Exists", func() {
+		It("constructs the correct EXISTS query", func() {
+			e := Exists("album", squirrel.Eq{"id": 1})
+			sql, args, err := e.ToSql()
+			Expect(sql).To(Equal("exists (select 1 from album where id = ?)"))
+			Expect(args).To(Equal([]interface{}{1}))
+			Expect(err).To(BeNil())
+		})
+	})
+})
--- a/persistence/playlist_repository_test.go
+++ b/persistence/playlist_repository_test.go
@ -21,7 +21,7 @@ var _ = Describe("PlaylistRepository", func() {
 		})
 	})

-	Describe("Exist", func() {
+	Describe("Exists", func() {
 		It("returns true for an existing playlist", func() {
 			Expect(repo.Exists("11")).To(BeTrue())
 		})