llvy.ltd/casdoor
1
0
Fork 0
mirror of https://github.com/casdoor/casdoor.git synced 2025-07-02 19:40:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: fix the SQL injection vulnerability in field filter (#442)

Browse Source 
Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>
This commit is contained in:
Yixiang Zhao
2022-01-26 19:36:36 +08:00
committed by GitHub
parent 051752340d
commit 5ec0c7a890
14 changed files with 31 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
object/organization.go
View File

@ -15,8 +15,6 @@
package object
import (
"fmt"
"github.com/casdoor/casdoor/cred"
"github.com/casdoor/casdoor/util"
"xorm.io/core"
@ -39,10 +37,7 @@ type Organization struct {
}
func GetOrganizationCount(owner, field, value string) int {
session := adapter.Engine.Where("owner=?", owner)
if field != "" && value != "" {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
}
session := GetSession(owner, -1, -1, field, value, "", "")
count, err := session.Count(&Organization{})
if err != nil {
panic(err)