fix: remove sql injection
This commit is contained in:
Deluan
@@ -35,10 +35,13 @@ func NewAlbumRepository(ctx context.Context, o orm.Ormer) model.AlbumRepository
|
|||||||
}
|
}
|
||||||
|
|
||||||
func artistFilter(field string, value interface{}) Sqlizer {
|
func artistFilter(field string, value interface{}) Sqlizer {
|
||||||
return Or{
|
return Exists("media_file", And{
|
||||||
exist("from media_file where album.id = media_file.album_id and media_file.artist_id='" + value.(string) + "'"),
|
ConcatExpr("album_id=album.id"),
|
||||||
exist("from media_file where album.id = media_file.album_id and media_file.album_artist_id='" + value.(string) + "'"),
|
Or{
|
||||||
}
|
Eq{"artist_id": value},
|
||||||
|
Eq{"album_artist_id": value},
|
||||||
|
},
|
||||||
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
func (r *albumRepository) CountAll(options ...model.QueryOptions) (int64, error) {
|
func (r *albumRepository) CountAll(options ...model.QueryOptions) (int64, error) {
|
||||||
|
|||||||
@@ -24,7 +24,7 @@ var _ = Describe("ArtistRepository", func() {
|
|||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
Describe("Exist", func() {
|
Describe("Exists", func() {
|
||||||
It("returns true for an artist that is in the DB", func() {
|
It("returns true for an artist that is in the DB", func() {
|
||||||
Expect(repo.Exists("3")).To(BeTrue())
|
Expect(repo.Exists("3")).To(BeTrue())
|
||||||
})
|
})
|
||||||
|
|||||||
+15
-5
@@ -5,6 +5,8 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"regexp"
|
"regexp"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
"github.com/Masterminds/squirrel"
|
||||||
)
|
)
|
||||||
|
|
||||||
func toSqlArgs(rec interface{}) (map[string]interface{}, error) {
|
func toSqlArgs(rec interface{}) (map[string]interface{}, error) {
|
||||||
@@ -33,9 +35,17 @@ func toSnakeCase(str string) string {
|
|||||||
return strings.ToLower(snake)
|
return strings.ToLower(snake)
|
||||||
}
|
}
|
||||||
|
|
||||||
type exist string
|
func Exists(subTable string, cond squirrel.Sqlizer) exists {
|
||||||
|
return exists{subTable: subTable, cond: cond}
|
||||||
func (e exist) ToSql() (string, []interface{}, error) {
|
}
|
||||||
sql := fmt.Sprintf("exists (select 1 %s)", e)
|
|
||||||
return sql, nil, nil
|
type exists struct {
|
||||||
|
subTable string
|
||||||
|
cond squirrel.Sqlizer
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e exists) ToSql() (string, []interface{}, error) {
|
||||||
|
sql, args, err := e.cond.ToSql()
|
||||||
|
sql = fmt.Sprintf("exists (select 1 from %s where %s)", e.subTable, sql)
|
||||||
|
return sql, args, err
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,19 @@
|
|||||||
|
package persistence
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/Masterminds/squirrel"
|
||||||
|
. "github.com/onsi/ginkgo"
|
||||||
|
. "github.com/onsi/gomega"
|
||||||
|
)
|
||||||
|
|
||||||
|
var _ = Describe("Helpers", func() {
|
||||||
|
Describe("Exists", func() {
|
||||||
|
It("constructs the correct EXISTS query", func() {
|
||||||
|
e := Exists("album", squirrel.Eq{"id": 1})
|
||||||
|
sql, args, err := e.ToSql()
|
||||||
|
Expect(sql).To(Equal("exists (select 1 from album where id = ?)"))
|
||||||
|
Expect(args).To(Equal([]interface{}{1}))
|
||||||
|
Expect(err).To(BeNil())
|
||||||
|
})
|
||||||
|
})
|
||||||
|
})
|
||||||
@@ -21,7 +21,7 @@ var _ = Describe("PlaylistRepository", func() {
|
|||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
Describe("Exist", func() {
|
Describe("Exists", func() {
|
||||||
It("returns true for an existing playlist", func() {
|
It("returns true for an existing playlist", func() {
|
||||||
Expect(repo.Exists("11")).To(BeTrue())
|
Expect(repo.Exists("11")).To(BeTrue())
|
||||||
})
|
})
|
||||||
|
|||||||
Reference in New Issue
Block a user