From 5ad24449bd5e2e4f4cc1314e1369dead8e621f4c Mon Sep 17 00:00:00 2001 From: everclear Date: Thu, 4 Feb 2016 19:24:38 +0000 Subject: [PATCH] Removed guessing numeric type from a string. This type of guess work is dangerous. It could lead to the situation where input is accepted from a query string for an primary key query, but is injected into the SQL string directly. /api/user/10 db.Find(&user, "10") // SELECT * FROM users WHERE id = 10; /api/user/1=1 db.Find(&user, "1=1") // SELECT * FROM users WHERE "1=1"; which is equivalent to // SELECT * FROM users It shouldn't behave differently based on the content of the string passed to it. Especially when that has a security implication. If the user want's to pass a int, they should pass that type. --- scope_private.go | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/scope_private.go b/scope_private.go index fa5d5f44..976109a7 100644 --- a/scope_private.go +++ b/scope_private.go @@ -17,10 +17,7 @@ func (scope *Scope) primaryCondition(value interface{}) string { func (scope *Scope) buildWhereCondition(clause map[string]interface{}) (str string) { switch value := clause["query"].(type) { case string: - // if string is number - if regexp.MustCompile("^\\s*\\d+\\s*$").MatchString(value) { - return scope.primaryCondition(scope.AddToVars(value)) - } else if value != "" { + if value != "" { str = fmt.Sprintf("(%v)", value) } case int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64, sql.NullInt64: