Merge pull request #2893 from tboerger/feature/sql-security

Try to make the SQL queries cleaner and more secure
This commit is contained in:
Unknwon 2016-03-27 17:40:28 -04:00
commit 7f26ae0b45
1 changed files with 7 additions and 29 deletions

View File

@ -5,7 +5,6 @@
package models package models
import ( import (
"bytes"
"errors" "errors"
"fmt" "fmt"
"io" "io"
@ -513,7 +512,7 @@ func Issues(opts *IssuesOptions) ([]*Issue, error) {
if len(opts.RepoIDs) == 0 { if len(opts.RepoIDs) == 0 {
return make([]*Issue, 0), nil return make([]*Issue, 0), nil
} }
sess.Where("issue.repo_id IN ("+strings.Join(base.Int64sToStrings(opts.RepoIDs), ",")+")").And("issue.is_closed=?", opts.IsClosed) sess.In("issue.repo_id", base.Int64sToStrings(opts.RepoIDs)).And("issue.is_closed=?", opts.IsClosed)
} else { } else {
sess.Where("issue.is_closed=?", opts.IsClosed) sess.Where("issue.is_closed=?", opts.IsClosed)
} }
@ -548,27 +547,16 @@ func Issues(opts *IssuesOptions) ([]*Issue, error) {
} }
labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ",")) labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
if len(labelIDs) > 0 { if len(labelIDs) > 1 {
validJoin := false sess.Join("INNER", "issue_label", "issue.id = issue_label.issue_id").In("issue_label.label_id", labelIDs)
queryStr := "issue.id=issue_label.issue_id"
for _, id := range labelIDs {
if id == 0 {
continue
}
validJoin = true
queryStr += " AND issue_label.label_id=" + com.ToStr(id)
}
if validJoin {
sess.Join("INNER", "issue_label", queryStr)
}
} }
if opts.IsMention { if opts.IsMention {
queryStr := "issue.id=issue_user.issue_id AND issue_user.is_mentioned=1" sess.Join("INNER", "issue_user", "issue.id = issue_user.issue_id AND issue_user.is_mentioned = 1")
if opts.UserID > 0 { if opts.UserID > 0 {
queryStr += " AND issue_user.uid=" + com.ToStr(opts.UserID) sess.Where("issue_user.uid = ?", opts.UserID)
} }
sess.Join("INNER", "issue_user", queryStr)
} }
issues := make([]*Issue, 0, setting.IssuePagingNum) issues := make([]*Issue, 0, setting.IssuePagingNum)
@ -684,18 +672,8 @@ func GetIssueUserPairsByRepoIds(rids []int64, isClosed bool, page int) ([]*Issue
return []*IssueUser{}, nil return []*IssueUser{}, nil
} }
buf := bytes.NewBufferString("")
for _, rid := range rids {
buf.WriteString("repo_id=")
buf.WriteString(com.ToStr(rid))
buf.WriteString(" OR ")
}
cond := strings.TrimSuffix(buf.String(), " OR ")
ius := make([]*IssueUser, 0, 10) ius := make([]*IssueUser, 0, 10)
sess := x.Limit(20, (page-1)*20).Where("is_closed=?", isClosed) sess := x.Limit(20, (page-1)*20).Where("is_closed=?", isClosed).In("repo_id", rids)
if len(cond) > 0 {
sess.And(cond)
}
err := sess.Find(&ius) err := sess.Find(&ius)
return ius, err return ius, err
} }