Improve SQL sanitization

persistence/sql_base_repository.go

@@ -19,11 +19,25 @@ import (
 	"github.com/pocketbase/dbx"
 )
 
+// sqlRepository is the base repository for all SQL repositories. It provides common functions to interact with the DB.
+// When creating a new repository using this base, you must:
+//
+//   - Embed this struct.
+//   - Set ctx and db fields. ctx should be the context passed to the constructor method, usually obtained from the request
+//   - Call registerModel with the model instance and any possible filters.
+//   - If the model has a different table name than the default (lowercase of the model name), it should be set manually
+//     using the tableName field.
+//   - Sort mappings should be set in the sortMappings field. If the sort field is not in the map, it will be used as is.
+//
+// All fields in filters and sortMappings must be in snake_case. Only sorts and filters based on real field names or
+// defined in the mappings will be allowed.
 type sqlRepository struct {
-	ctx          context.Context
-	tableName    string
-	db           dbx.Builder
-	sortMappings map[string]string
+	ctx                context.Context
+	tableName          string
+	db                 dbx.Builder
+	sortMappings       map[string]string
+	filterMappings     map[string]filterFunc
+	isFieldWhiteListed fieldWhiteListedFunc
 }
 
 const invalidUserId = "-1"
@@ -44,6 +58,16 @@ func loggedUser(ctx context.Context) *model.User {
 	}
 }
 
+func (r *sqlRepository) registerModel(instance any, filters map[string]filterFunc) {
+	if r.tableName == "" {
+		r.tableName = strings.TrimPrefix(reflect.TypeOf(instance).String(), "*model.")
+		r.tableName = toSnakeCase(r.tableName)
+	}
+	r.tableName = strings.ToLower(r.tableName)
+	r.isFieldWhiteListed = registerModelWhiteList(instance)
+	r.filterMappings = filters
+}
+
 func (r sqlRepository) getTableName() string {
 	return r.tableName
 }