fix: remove sql injection

navidrome · Mar 26, 2020 · 5331732 · 5331732
1 parent dc973ae
commit 5331732
Show file tree

Hide file tree

Showing 5 changed files with 42 additions and 10 deletions.
diff --git a/persistence/album_repository.go b/persistence/album_repository.go
@@ -35,10 +35,13 @@ func NewAlbumRepository(ctx context.Context, o orm.Ormer) model.AlbumRepository
 }
 
 func artistFilter(field string, value interface{}) Sqlizer {
-	return Or{
-		exist("from media_file where album.id = media_file.album_id and media_file.artist_id='" + value.(string) + "'"),
-		exist("from media_file where album.id = media_file.album_id and media_file.album_artist_id='" + value.(string) + "'"),
-	}
+	return Exists("media_file", And{
+		ConcatExpr("album_id=album.id"),
+		Or{
+			Eq{"artist_id": value},
+			Eq{"album_artist_id": value},
+		},
+	})
 }
 
 func (r *albumRepository) CountAll(options ...model.QueryOptions) (int64, error) {

diff --git a/persistence/artist_repository_test.go b/persistence/artist_repository_test.go
@@ -24,7 +24,7 @@ var _ = Describe("ArtistRepository", func() {
 		})
 	})
 
-	Describe("Exist", func() {
+	Describe("Exists", func() {
 		It("returns true for an artist that is in the DB", func() {
 			Expect(repo.Exists("3")).To(BeTrue())
 		})

diff --git a/persistence/helpers.go b/persistence/helpers.go
@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"regexp"
 	"strings"
+
+	"github.com/Masterminds/squirrel"
 )
 
 func toSqlArgs(rec interface{}) (map[string]interface{}, error) {
@@ -33,9 +35,17 @@ func toSnakeCase(str string) string {
 	return strings.ToLower(snake)
 }
 
-type exist string
+func Exists(subTable string, cond squirrel.Sqlizer) exists {
+	return exists{subTable: subTable, cond: cond}
+}
+
+type exists struct {
+	subTable string
+	cond     squirrel.Sqlizer
+}
 
-func (e exist) ToSql() (string, []interface{}, error) {
-	sql := fmt.Sprintf("exists (select 1 %s)", e)
-	return sql, nil, nil
+func (e exists) ToSql() (string, []interface{}, error) {
+	sql, args, err := e.cond.ToSql()
+	sql = fmt.Sprintf("exists (select 1 from %s where %s)", e.subTable, sql)
+	return sql, args, err
 }
diff --git a/persistence/helpers_test.go b/persistence/helpers_test.go
@@ -0,0 +1,19 @@
+package persistence
+
+import (
+	"github.com/Masterminds/squirrel"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Helpers", func() {
+	Describe("Exists", func() {
+		It("constructs the correct EXISTS query", func() {
+			e := Exists("album", squirrel.Eq{"id": 1})
+			sql, args, err := e.ToSql()
+			Expect(sql).To(Equal("exists (select 1 from album where id = ?)"))
+			Expect(args).To(Equal([]interface{}{1}))
+			Expect(err).To(BeNil())
+		})
+	})
+})
diff --git a/persistence/playlist_repository_test.go b/persistence/playlist_repository_test.go
@@ -21,7 +21,7 @@ var _ = Describe("PlaylistRepository", func() {
 		})
 	})
 
-	Describe("Exist", func() {
+	Describe("Exists", func() {
 		It("returns true for an existing playlist", func() {
 			Expect(repo.Exists("11")).To(BeTrue())
 		})