Skip to content
Permalink
Browse files Browse the repository at this point in the history
Prevent low-risk SQL injection from roomId values when entered into t…
…he config (#1619)

* Prevent SQL injection from roomId values when checking room visibility

* Add newsfile

* Update newsfile

* Update 1619.bugfix

Co-authored-by: Will Hunt <will@half-shot.uk>
  • Loading branch information
Christian Paul and Half-Shot committed Sep 26, 2022
1 parent 8fdffdd commit 179313a
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 2 deletions.
1 change: 1 addition & 0 deletions changelog.d/1619.bugfix
@@ -0,0 +1 @@
Prevent possible attack by provisisioning a room with a specific roomID.
5 changes: 3 additions & 2 deletions src/datastore/postgres/PgDataStore.ts
Expand Up @@ -661,8 +661,9 @@ export class PgDataStore implements DataStore {

public async getRoomsVisibility(roomIds: string[]) {
const map: {[roomId: string]: "public"|"private"} = {};
const list = `('${roomIds.join("','")}')`;
const res = await this.pgPool.query(`SELECT room_id, visibility FROM room_visibility WHERE room_id IN ${list}`);
const res = await this.pgPool.query("SELECT room_id, visibility FROM room_visibility WHERE room_id IN $1", [
roomIds,
]);
for (const row of res.rows) {
map[row.room_id] = row.visibility ? "public" : "private";
}
Expand Down

0 comments on commit 179313a

Please sign in to comment.