Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix destroyDeletedRecords vulnerability
  • Loading branch information
radex committed Jun 1, 2020
1 parent 66c95f8 commit 924c7ae
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 2 deletions.
4 changes: 2 additions & 2 deletions native/ios/WatermelonDB/DatabaseDriver.swift
Expand Up @@ -128,8 +128,8 @@ class DatabaseDriver {

func destroyDeletedRecords(table: Database.TableName, records: [RecordId]) throws {
// TODO: What's the behavior if record doesn't exist or isn't actually deleted?
let recordIds = records.map { id in "'\(id)'" }.joined(separator: ",")
try database.execute("delete from \(table) where id in (\(recordIds))")
let recordPlaceholders = records.map { _ in "?" }.joined(separator: ",")
try database.execute("delete from \(table) where id in (\(recordPlaceholders))", records)
}

// MARK: - LocalStorage
Expand Down
25 changes: 25 additions & 0 deletions src/adapters/__tests__/commonTests.js
Expand Up @@ -439,6 +439,31 @@ export default () => [
expect(await adapter.find('tasks', 't2')).toBeNull()
},
],
[
'destroyDeletedRecords can handle unsafe strings',
async adapter => {
const m1 = mockTaskRaw({ id: 't1', text1: 'bar1', order: 1 })
const m2 = mockTaskRaw({ id: 't2', text1: 'bar2', order: 2 })
const m3 = mockTaskRaw({ id: 't3', text1: 'bar3', order: 3 })
await adapter.batch([
['create', 'tasks', m1],
['create', 'tasks', m2],
['create', 'tasks', m3],
])
await adapter.batch([
['markAsDeleted', 'tasks', m1.id],
['markAsDeleted', 'tasks', m2.id],
['markAsDeleted', 'tasks', m3.id],
])

await adapter.destroyDeletedRecords('tasks', ['\') or 1=1 --'])
expectSortedEqual(await adapter.getDeletedRecords('tasks'), ['t1', 't2', 't3'])
expectSortedEqual(await adapter.query(taskQuery()), [])

await adapter.destroyDeletedRecords('tasks', ['\'); insert into tasks (id) values (\'t4\') --'])
expectSortedEqual(await adapter.query(taskQuery()), [])
},
],
[
'can run mixed batches',
async _adapter => {
Expand Down

0 comments on commit 924c7ae

Please sign in to comment.