Skip to content
This repository has been archived by the owner on Jun 25, 2020. It is now read-only.
Permalink
Browse files Browse the repository at this point in the history
filter out transferred + sql injection fixes
  • Loading branch information
Wojciech Kicior authored and Wojciech Kicior committed Feb 18, 2014
1 parent bd5cdc7 commit 91097e2
Show file tree
Hide file tree
Showing 3 changed files with 35 additions and 6 deletions.
30 changes: 25 additions & 5 deletions lib/common.rb
Expand Up @@ -503,12 +503,15 @@ def select_transfer_status_desc(status_id)
end

def insert_file_status(transfer_id, file, status_id, status_time)
@db.exec("INSERT into fb_file_status (transfer_id, filename, status_id, status_time) VALUES (#{transfer_id}, '#{file}', #{status_id}, '#{status_time}')")
sql = "INSERT into fb_file_status (transfer_id, filename, status_id, status_time) VALUES ($1::int, $2::text, $3::int, $4::timestamp)"
@db.exec(sql, [transfer_id, file, status_id, status_time])
end

def update_file_status(transfer_id, file, status_id, status_time)
if @db.exec("SELECT * FROM fb_file_status WHERE transfer_id=#{transfer_id} AND filename='#{file}'").count > 0
@db.exec("UPDATE fb_file_status SET status_id=#{status_id}, status_time='#{status_time}' WHERE transfer_id=#{transfer_id} AND filename='#{file}'")
sql_count = "SELECT * FROM fb_file_status WHERE transfer_id=$1::int AND filename=$2::text"
if @db.exec(sql_count, [transfer_id, file]).count > 0
sql_update = "UPDATE fb_file_status SET status_id=$1::int, status_time=$2::timestamp WHERE transfer_id=$3::int AND filename=$4::text"
@db.exec(sql_update, [status_id, status_time, transfer_id, file])
else
insert_file_status(transfer_id, file, status_id, status_time)
end
Expand Down Expand Up @@ -555,6 +558,23 @@ def select_running_transfers_by_source(status_id, source_id, source_path)
@db.exec("SELECT fb_transfer.transfer_id FROM fb_transfer, fb_transfer_status WHERE fb_transfer.source_id=#{source_id} AND fb_transfer_status.status_id=#{status_id} AND fb_transfer.source_path='#{source_path}' AND fb_transfer.transfer_id=fb_transfer_status.transfer_id")
end

def select_files_by_transfer_status(status_id, source_id, source_path, file_name)
sql = "
SELECT
fb_transfer.transfer_id,
fb_file_status.filename,
fb_file_status.status_time
FROM
fb_transfer, fb_transfer_status, public.fb_file_status
WHERE fb_transfer.source_id = $1::bigint
AND fb_transfer_status.status_id = $2::int
AND fb_transfer.source_path = $3::text
AND fb_transfer.transfer_id = fb_transfer_status.transfer_id
AND fb_file_status.filename = $4::text
AND fb_file_status.transfer_id = fb_transfer.transfer_id"
@db.exec(sql, [source_id, status_id, source_path, file_name])
end

def select_running_transfers
sql = "
SELECT DISTINCT
Expand Down Expand Up @@ -745,9 +765,9 @@ def select_transfer_files(transfer_id)
public.fb_file_status_dict
WHERE
fb_file_status.status_id = fb_file_status_dict.status_id AND
fb_file_status.transfer_id = #{transfer_id}
fb_file_status.transfer_id = $1::int
ORDER BY fb_file_status.filename ASC"
@db.exec(sql)
@db.exec(sql, [transfer_id])
end

def add_client(client)
Expand Down
10 changes: 9 additions & 1 deletion lib/filebroker.rb
Expand Up @@ -1228,6 +1228,7 @@ def do_list(soap_body)
req['login'] = soap_body.xpath("//#{prefix}:Login/text()").to_s
req['password'] = soap_body.xpath("//#{prefix}:Password/text()").to_s
req['path'] = soap_body.xpath("//#{prefix}:Path/text()").to_s
req['filter_out_transferred'] = soap_body.xpath("//#{prefix}:FilterOutTransferred/text()").to_s

begin
source = @db.select_account(req)
Expand Down Expand Up @@ -1269,13 +1270,20 @@ def do_list(soap_body)
# Convert time format
list.map { |j| j['mtime'] = DateTime.parse(j['mtime']) }

# Remove currently transferred files
# Remove currently transferring files
@db.select_running_transfers_by_source(FBService::TRANSFER_RUNNING, source['account_id'], source['path']).each { |i|
@db.select_transfer_files(i['transfer_id']).each { |j|
list.delete_if { |k| k['name'] == j['filename'] }
}
}

# Remove already transferred files - optional depends on FilterOutTransferred option
if source['filter_out_transferred'] == 'true'
list.delete_if { |k|
@db.select_files_by_transfer_status(FBService::TRANSFER_COMPLETED_SUCCESSFULLY, source['account_id'], source['path'], k['name']).ntuples() > 0
}
end

# Remove temporary files
list.delete_if { |j| j['name'] =~ /\.partial$/ }

Expand Down
1 change: 1 addition & 0 deletions public/filebroker_service.xsd
Expand Up @@ -1352,6 +1352,7 @@
<xs:element name="Login" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="Password" type="xs:string" minOccurs="0" maxOccurs="1" />
<xs:element name="Path" type="xs:string" minOccurs="1" maxOccurs="1" />
<xs:element name="FilterOutTransferred" type="xs:boolean" minOccurs="0" maxOccurs="1" />
</xs:sequence>
</xs:complexType>

Expand Down

0 comments on commit 91097e2

Please sign in to comment.