mirrors/nginx-ui
1
0
Fork 0
mirror of https://github.com/0xJacky/nginx-ui.git synced 2025-05-11 10:25:52 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

fix: ensure the list sort query is validated to prevent SQL injection

Browse source 
Credits to @jorgectf for the advisories.
This commit is contained in:
Hintay 2023-12-20 04:52:02 +09:00
parent 827e76c46e
commit ec93ab05a3
No known key found for this signature in database
GPG key ID: 120FC7FF121F2F2D
2 changed files with 34 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

16
model/model.go
View file

@ -10,8 +10,10 @@ import (
"gorm.io/gen"
"gorm.io/gorm"
gormlogger "gorm.io/gorm/logger"
"gorm.io/gorm/schema"
"path"
"strings"
"sync"
"time"
)
@ -100,9 +102,19 @@ func SortOrder(c *gin.Context) func(db *gorm.DB) *gorm.DB {
func OrderAndPaginate(c *gin.Context) func(db *gorm.DB) *gorm.DB {
return func(db *gorm.DB) *gorm.DB {
sort := c.DefaultQuery("order", "desc")
if sort != "desc" && sort != "asc" {
sort = "desc"
}
order := fmt.Sprintf("`%s` %s", DefaultQuery(c, "sort_by", "id"), sort)
db = db.Order(order)
// check if the order field is valid
order := c.DefaultQuery("sort_by", "id")
s, _ := schema.Parse(db.Model, &sync.Map{}, schema.NamingStrategy{})
if _, ok := s.FieldsByName[order]; ok {
order = fmt.Sprintf("%s %s", order, sort)
db = db.Order(order)
} else {
logger.Error("invalid order field: ", order)
}
page := cast.ToInt(c.Query("page"))
if page == 0 {