Mirrors/stash
1
0
Fork 0
mirror of https://github.com/stashapp/stash.git synced 2025-12-17 12:24:38 +03:00
Code Issues Packages Projects Releases Wiki Activity

Enforce whitelist for sort values (#4865)

Browse Source
This commit is contained in:
WithoutPants
2024-05-22 14:59:08 +10:00
committed by GitHub
parent 865208844c
commit 89553864f5
11 changed files with 275 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
pkg/sqlite/sql.go
View File

@@ -42,6 +42,30 @@ func getPaginationSQL(page int, perPage int) string {
return " LIMIT " + strconv.Itoa(perPage) + " OFFSET " + strconv.Itoa(page) + " "
}
const randomSeedPrefix = "random_" // prefix for random sort
type sortOptions []string
func (o sortOptions) validateSort(sort string) error {
if strings.HasPrefix(sort, randomSeedPrefix) {
// seed as a parameter from the UI
seedStr := sort[len(randomSeedPrefix):]
_, err := strconv.ParseUint(seedStr, 10, 64)
if err != nil {
return fmt.Errorf("invalid random seed: %s", seedStr)
}
return nil
}
for _, v := range o {
if v == sort {
return nil
}
}
return fmt.Errorf("invalid sort: %s", sort)
}
func getSortDirection(direction string) string {
if direction != "ASC" && direction != "DESC" {
return "ASC"
@@ -52,8 +76,6 @@ func getSortDirection(direction string) string {
func getSort(sort string, direction string, tableName string) string {
direction = getSortDirection(direction)
const randomSeedPrefix = "random_"
switch {
case strings.HasSuffix(sort, "_count"):
var relationTableName = strings.TrimSuffix(sort, "_count") // TODO: pluralize?