From 9e79b5cbf2a48c1e4344df00fea4ed3844ea965d Mon Sep 17 00:00:00 2001
From: Deluan <deluan@navidrome.org>
Date: Tue, 18 Jan 2022 21:20:26 -0500
Subject: [PATCH] Fix potential SQL injection in Smart Playlists

---
 model/criteria/criteria.go | 10 +++++++---
 scanner/tag_scanner.go     |  2 +-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/model/criteria/criteria.go b/model/criteria/criteria.go
index 0d3c72957..c59c392a3 100644
--- a/model/criteria/criteria.go
+++ b/model/criteria/criteria.go
@@ -28,8 +28,8 @@ func (c Criteria) OrderBy() string {
 	f := fieldMap[strings.ToLower(c.Sort)]
 	var mapped string
 	if f == nil {
-		log.Error("Invalid field in 'sort' field", "field", c.Sort)
-		mapped = c.Sort
+		log.Error("Invalid field in 'sort' field. Using 'title'", "sort", c.Sort)
+		mapped = fieldMap["title"].field
 	} else {
 		if f.order == "" {
 			mapped = f.field
@@ -38,7 +38,11 @@ func (c Criteria) OrderBy() string {
 		}
 	}
 	if c.Order != "" {
-		mapped = mapped + " " + c.Order
+		if strings.EqualFold(c.Order, "asc") || strings.EqualFold(c.Order, "desc") {
+			mapped = mapped + " " + c.Order
+		} else {
+			log.Error("Invalid value in 'order' field. Valid values: 'asc', 'desc'", "order", c.Order)
+		}
 	}
 	return mapped
 }
diff --git a/scanner/tag_scanner.go b/scanner/tag_scanner.go
index 0e0ed7f8e..8f022d70f 100644
--- a/scanner/tag_scanner.go
+++ b/scanner/tag_scanner.go
@@ -72,7 +72,7 @@ func (s *TagScanner) Scan(ctx context.Context, lastModifiedSince time.Time, prog
 	ctx = s.withAdminUser(ctx)
 	start := time.Now()
 
-	// Special case: if lastModifiedSInce is zero, re-import all files
+	// Special case: if lastModifiedSince is zero, re-import all files
 	fullScan := lastModifiedSince.IsZero()
 
 	allDBDirs, err := s.getDBDirTree(ctx)