fix: fix the SQL injection vulnerability in field filter (#442)

Signed-off-by: Yixiang Zhao <seriouszyx@foxmail.com>
2025-07-02 19:40:19 +08:00 · 2022-01-26 19:36:36 +08:00
parent 051752340d
commit 5ec0c7a890
14 changed files with 31 additions and 59 deletions
--- a/object/user.go
+++ b/object/user.go
@ -89,10 +89,7 @@ type User struct {
 }

 func GetGlobalUserCount(field, value string) int {
-	session := adapter.Engine.Where("1=1")
-	if field != "" && value != "" {
-		session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
-	}
+	session := GetSession("", -1, -1, field, value, "", "")
 	count, err := session.Count(&User{})
 	if err != nil {
 		panic(err)
@ -123,10 +120,7 @@ func GetPaginationGlobalUsers(offset, limit int, field, value, sortField, sortOr
 }

 func GetUserCount(owner, field, value string) int {
-	session := adapter.Engine.Where("owner=?", owner)
-	if field != "" && value != "" {
-		session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
-	}
+	session := GetSession(owner, -1, -1, field, value, "", "")
 	count, err := session.Count(&User{})
 	if err != nil {
 		panic(err)