llvy.ltd/casdoor
1
0
Fork 0
mirror of https://github.com/casdoor/casdoor.git synced 2025-07-02 11:20:18 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: fix the SQL injection vulnerability in field filter (#442)

Browse Source 
Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>
This commit is contained in:
Yixiang Zhao
2022-01-26 19:36:36 +08:00
committed by GitHub
parent 051752340d
commit 5ec0c7a890
14 changed files with 31 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
object/adapter.go
View File

@ -190,12 +190,17 @@ func (a *Adapter) createTable() {
}
func GetSession(owner string, offset, limit int, field, value, sortField, sortOrder string) *xorm.Session {
session := adapter.Engine.Limit(limit, offset).Where("1=1")
session := adapter.Engine.Prepare()
if offset != -1 && limit != -1 {
session.Limit(limit, offset)
}
if owner != "" {
session = session.And("owner=?", owner)
}
if field != "" && value != "" {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
if filterField(field) {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
}
}
if sortField == "" || sortOrder == "" {
sortField = "created_time"
@ -206,4 +211,4 @@ func GetSession(owner string, offset, limit int, field, value, sortField, sortOr
session = session.Desc(util.SnakeString(sortField))
}
return session
}
}