tablet/gorm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Removed guessing numeric type from a string.

Browse Source 
This type of guess work is dangerous. It could lead to the situation where input is accepted from a query string for an primary key query, but is injected into the SQL string directly.

/api/user/10
db.Find(&user, "10")  // SELECT * FROM users WHERE id = 10;

/api/user/1=1
db.Find(&user, "1=1")  // SELECT * FROM users WHERE "1=1";

which is equivalent to 
// SELECT * FROM users

It shouldn't behave differently based on the content of the string passed to it. Especially when that has a security implication. If the user want's to pass a int, they should pass that type.
This commit is contained in:
everclear 2016-02-04 19:24:38 +00:00
parent d1fcba9bfc
commit 5ad24449bd
1 changed files with 1 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
scope_private.go
View File

@ -17,10 +17,7 @@ func (scope *Scope) primaryCondition(value interface{}) string {
func (scope *Scope) buildWhereCondition(clause map[string]interface{}) (str string) { func (scope *Scope) buildWhereCondition(clause map[string]interface{}) (str string) {
switch value := clause["query"].(type) { switch value := clause["query"].(type) {
case string: case string:
// if string is number if value != "" {
if regexp.MustCompile("^\\s*\\d+\\s*$").MatchString(value) {
return scope.primaryCondition(scope.AddToVars(value))
} else if value != "" {
str = fmt.Sprintf("(%v)", value) str = fmt.Sprintf("(%v)", value)
} }
case int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64, sql.NullInt64: case int, int8, int16, int32, int64, uint, uint8, uint16, uint32, uint64, sql.NullInt64: