fix: cwe89 sql injection (#8762)

Author: klesh

backend/server/services/pushapi.go

@@ -18,12 +18,32 @@ limitations under the License.
 package services
 
 import (
+	"regexp"
+	"strings"
+
 	"github.com/apache/incubator-devlake/core/dal"
 	"github.com/apache/incubator-devlake/core/errors"
 )
 
 // InsertRow FIXME ...
 func InsertRow(table string, rows []map[string]interface{}) (int64, errors.Error) {
+	if !regexp.MustCompile(`^[a-zA-Z0-9_]+$`).MatchString(table) {
+		return 0, errors.BadInput.New("table name invalid")
+	}
+
+	if allowedTables := cfg.GetString("PUSH_API_ALLOWED_TABLES"); allowedTables != "" {
+		allow := false
+		for _, t := range strings.Split(allowedTables, ",") {
+			if strings.TrimSpace(t) == table {
+				allow = true
+				break
+			}
+		}
+		if !allow {
+			return 0, errors.Forbidden.New("table name is not in the allowed list")
+		}
+	}
+
 	err := db.Create(rows, dal.From(table))
 	if err != nil {
 		return 0, err

env.example

@@ -34,6 +34,7 @@ SKIP_SUBTASK_PROGRESS=false
 PORT=8080
 MODE=release
 
+# PUSH_API_ALLOWED_TABLES=table1,table2
 NOTIFICATION_ENDPOINT=
 NOTIFICATION_SECRET=