Skip to content

Commit 8bb5cb3

Browse files
attenteattente
authored
prevent one more Page.Column sql injection (#35)
1 parent 2638db4 commit 8bb5cb3

File tree

2 files changed

+33
-0
lines changed

2 files changed

+33
-0
lines changed

page.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,7 @@ func (s Sort) String() string {
4141
var _MatcherOrderBy = regexp.MustCompile(`-?([a-zA-Z0-9]+)`)
4242

4343
func NewSort(s string) (Sort, bool) {
44+
s = strings.TrimSpace(s)
4445
if s == "" || !_MatcherOrderBy.MatchString(s) {
4546
return Sort{}, false
4647
}
@@ -81,6 +82,7 @@ func (p *Page) GetOrder(defaultSort ...string) []Sort {
8182
// if page has sort, use it
8283
if p != nil && len(p.Sort) != 0 {
8384
for i, s := range p.Sort {
85+
s.Column = strings.TrimSpace(s.Column)
8486
s.Column = pgx.Identifier(strings.Split(s.Column, ".")).Sanitize()
8587
p.Sort[i] = s
8688
}
@@ -99,7 +101,12 @@ func (p *Page) GetOrder(defaultSort ...string) []Sort {
99101
// use column
100102
sort := make([]Sort, 0)
101103
for _, part := range strings.Split(p.Column, ",") {
104+
part = strings.TrimSpace(part)
105+
if part == "" {
106+
continue
107+
}
102108
if s, ok := NewSort(part); ok {
109+
s.Column = pgx.Identifier(strings.Split(s.Column, ".")).Sanitize()
103110
sort = append(sort, s)
104111
}
105112
}

page_test.go

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -61,3 +61,29 @@ func TestInvalidSort(t *testing.T) {
6161
require.Equal(t, "SELECT * FROM t ORDER BY \"ID; DROP TABLE users;\" ASC, \"name\" DESC LIMIT 11 OFFSET 0", sql)
6262
require.Empty(t, args)
6363
}
64+
65+
func TestPageColumnInjection(t *testing.T) {
66+
paginator := pgkit.NewPaginator[T]()
67+
page := pgkit.NewPage(0, 0)
68+
page.Column = "id; DROP TABLE users;--"
69+
70+
_, query := paginator.PrepareQuery(sq.Select("*").From("t"), page)
71+
72+
sql, args, err := query.ToSql()
73+
require.NoError(t, err)
74+
require.Equal(t, "SELECT * FROM t ORDER BY \"id; DROP TABLE users;--\" ASC LIMIT 11 OFFSET 0", sql)
75+
require.Empty(t, args)
76+
}
77+
78+
func TestPageColumnSpaces(t *testing.T) {
79+
paginator := pgkit.NewPaginator[T]()
80+
page := pgkit.NewPage(0, 0)
81+
page.Column = "id, name"
82+
83+
_, query := paginator.PrepareQuery(sq.Select("*").From("t"), page)
84+
85+
sql, args, err := query.ToSql()
86+
require.NoError(t, err)
87+
require.Equal(t, "SELECT * FROM t ORDER BY \"id\" ASC, \"name\" ASC LIMIT 11 OFFSET 0", sql)
88+
require.Empty(t, args)
89+
}

0 commit comments

Comments
 (0)