api/graphql/resolver: sanitized search terms for SQL

Reported by SonarSource, with full disclosure to be done soon. Properly use pg's escaping mechanism to avoid SQL injection. Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>
gentoo · Mar 25, 2023 · 428b119 · 428b119
1 parent 2a0e925
commit 428b119
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/pkg/api/graphql/resolvers/resolver.go b/pkg/api/graphql/resolvers/resolver.go
@@ -219,15 +219,15 @@ func (r *queryResolver) PackageSearch(ctx context.Context, searchTerm *string, r
 			WhereOr("atom LIKE ? ", wildcardSearchTerm).
 			WhereOr("name LIKE ? ", wildcardSearchTerm).
 			Relation("PkgCheckResults").Relation("Bugs").Relation("PullRequests").Relation("ReverseDependencies").Relation("Commits").Relation("Versions").Relation("Versions.Masks").Relation("Versions.PkgCheckResults").Relation("Versions.Dependencies").Relation("PkgCheckResults").Relation("Outdated").
-			OrderExpr("name <-> '" + *searchTerm + "'").
+			OrderExpr("name <-> ?", searchTerm).
 			Limit(limit).
 			Select()
 	} else {
 		// if the query contains no wildcards do a fuzzy search
 		err = packages.BuildSearchQuery(database.DBCon.Model(&gpackages), *searchTerm).
-			WhereOr("atom LIKE ? ", "%" + *searchTerm + "%").
+			WhereOr("atom LIKE ? ", "%"+*searchTerm+"%").
 			Relation("PkgCheckResults").Relation("Bugs").Relation("PullRequests").Relation("ReverseDependencies").Relation("Commits").Relation("Versions").Relation("Versions.Masks").Relation("Versions.PkgCheckResults").Relation("Versions.Dependencies").Relation("PkgCheckResults").Relation("Outdated").
-			OrderExpr("name <-> '" + *searchTerm + "'").
+			OrderExpr("name <-> ?", searchTerm).
 			Limit(limit).
 			Select()
 	}