Skip to content

Commit b55f606

Browse files
authored
Merge pull request #10280 from gyohuangxin/fix_sql_injection_2
Fix more SQL injections
2 parents c54bc36 + 2a583c4 commit b55f606

File tree

3 files changed

+8
-3
lines changed

3 files changed

+8
-3
lines changed

Diff for: mesheryctl/pkg/utils/helpers.go

+4-1
Original file line numberDiff line numberDiff line change
@@ -547,7 +547,10 @@ func ClearLine() {
547547
clearCmd = exec.Command("cmd", "/c", "cls") // for Windows
548548
}
549549
clearCmd.Stdout = os.Stdout
550-
_ = clearCmd.Run()
550+
err := clearCmd.Run()
551+
if err != nil {
552+
log.Fatal(err)
553+
}
551554
}
552555

553556
// StringContainedInSlice returns the index in which a string is a substring in a list of strings

Diff for: server/handlers/meshsync_handler.go

+1
Original file line numberDiff line numberDiff line change
@@ -225,6 +225,7 @@ func (h *Handler) GetMeshSyncResourcesKinds(rw http.ResponseWriter, r *http.Requ
225225
result = result.Offset(offset)
226226
}
227227

228+
order = models.SanitizeOrderInput(order, []string{"created_at", "updated_at", "name"})
228229
if order != "" {
229230
if sort == "desc" {
230231
result = result.Order(clause.OrderByColumn{Column: clause.Column{Name: order}, Desc: true})

Diff for: server/models/events_persister.go

+3-2
Original file line numberDiff line numberDiff line change
@@ -68,10 +68,11 @@ func (e *EventsPersister) GetAllEvents(eventsFilter *events.EventsFilter, userID
6868
finder = finder.Where("status = ?", eventsFilter.Status)
6969
}
7070

71+
sortOn := SanitizeOrderInput(eventsFilter.SortOn, []string{"created_at", "updated_at", "name"})
7172
if eventsFilter.Order == "asc" {
72-
finder = finder.Order(eventsFilter.SortOn)
73+
finder = finder.Order(sortOn)
7374
} else {
74-
finder = finder.Order(clause.OrderByColumn{Column: clause.Column{Name: eventsFilter.SortOn}, Desc: true})
75+
finder = finder.Order(clause.OrderByColumn{Column: clause.Column{Name: sortOn}, Desc: true})
7576
}
7677

7778
var count int64

0 commit comments

Comments
 (0)