Merge pull request #2893 from tboerger/feature/sql-security
Try to make the SQL queries cleaner and more secure
This commit is contained in:
commit
7f26ae0b45
|
@ -5,7 +5,6 @@
|
||||||
package models
|
package models
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
|
@ -513,7 +512,7 @@ func Issues(opts *IssuesOptions) ([]*Issue, error) {
|
||||||
if len(opts.RepoIDs) == 0 {
|
if len(opts.RepoIDs) == 0 {
|
||||||
return make([]*Issue, 0), nil
|
return make([]*Issue, 0), nil
|
||||||
}
|
}
|
||||||
sess.Where("issue.repo_id IN ("+strings.Join(base.Int64sToStrings(opts.RepoIDs), ",")+")").And("issue.is_closed=?", opts.IsClosed)
|
sess.In("issue.repo_id", base.Int64sToStrings(opts.RepoIDs)).And("issue.is_closed=?", opts.IsClosed)
|
||||||
} else {
|
} else {
|
||||||
sess.Where("issue.is_closed=?", opts.IsClosed)
|
sess.Where("issue.is_closed=?", opts.IsClosed)
|
||||||
}
|
}
|
||||||
|
@ -548,27 +547,16 @@ func Issues(opts *IssuesOptions) ([]*Issue, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
|
labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
|
||||||
if len(labelIDs) > 0 {
|
if len(labelIDs) > 1 {
|
||||||
validJoin := false
|
sess.Join("INNER", "issue_label", "issue.id = issue_label.issue_id").In("issue_label.label_id", labelIDs)
|
||||||
queryStr := "issue.id=issue_label.issue_id"
|
|
||||||
for _, id := range labelIDs {
|
|
||||||
if id == 0 {
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
validJoin = true
|
|
||||||
queryStr += " AND issue_label.label_id=" + com.ToStr(id)
|
|
||||||
}
|
|
||||||
if validJoin {
|
|
||||||
sess.Join("INNER", "issue_label", queryStr)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if opts.IsMention {
|
if opts.IsMention {
|
||||||
queryStr := "issue.id=issue_user.issue_id AND issue_user.is_mentioned=1"
|
sess.Join("INNER", "issue_user", "issue.id = issue_user.issue_id AND issue_user.is_mentioned = 1")
|
||||||
|
|
||||||
if opts.UserID > 0 {
|
if opts.UserID > 0 {
|
||||||
queryStr += " AND issue_user.uid=" + com.ToStr(opts.UserID)
|
sess.Where("issue_user.uid = ?", opts.UserID)
|
||||||
}
|
}
|
||||||
sess.Join("INNER", "issue_user", queryStr)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
issues := make([]*Issue, 0, setting.IssuePagingNum)
|
issues := make([]*Issue, 0, setting.IssuePagingNum)
|
||||||
|
@ -684,18 +672,8 @@ func GetIssueUserPairsByRepoIds(rids []int64, isClosed bool, page int) ([]*Issue
|
||||||
return []*IssueUser{}, nil
|
return []*IssueUser{}, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
buf := bytes.NewBufferString("")
|
|
||||||
for _, rid := range rids {
|
|
||||||
buf.WriteString("repo_id=")
|
|
||||||
buf.WriteString(com.ToStr(rid))
|
|
||||||
buf.WriteString(" OR ")
|
|
||||||
}
|
|
||||||
cond := strings.TrimSuffix(buf.String(), " OR ")
|
|
||||||
ius := make([]*IssueUser, 0, 10)
|
ius := make([]*IssueUser, 0, 10)
|
||||||
sess := x.Limit(20, (page-1)*20).Where("is_closed=?", isClosed)
|
sess := x.Limit(20, (page-1)*20).Where("is_closed=?", isClosed).In("repo_id", rids)
|
||||||
if len(cond) > 0 {
|
|
||||||
sess.And(cond)
|
|
||||||
}
|
|
||||||
err := sess.Find(&ius)
|
err := sess.Find(&ius)
|
||||||
return ius, err
|
return ius, err
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue