From e9f89baba31dfae9c022bb1b9f6313f0da414ba6 Mon Sep 17 00:00:00 2001 From: Tsu-ba-me Date: Wed, 4 Oct 2023 02:29:46 -0400 Subject: [PATCH] fix(striker-ui-api): correct escape single quote in SQL inputs --- .../src/lib/request_handlers/fence/createFence.ts | 15 ++++++++++----- striker-ui-api/src/lib/sanitizeSQLParam.ts | 2 +- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/striker-ui-api/src/lib/request_handlers/fence/createFence.ts b/striker-ui-api/src/lib/request_handlers/fence/createFence.ts index 02766bf8..3425de71 100644 --- a/striker-ui-api/src/lib/request_handlers/fence/createFence.ts +++ b/striker-ui-api/src/lib/request_handlers/fence/createFence.ts @@ -7,9 +7,11 @@ import { getFenceSpec, timestamp, write } from '../../accessModule'; import { sanitize } from '../../sanitize'; import { stderr, stdoutVar, uuid } from '../../shell'; -const handleNumberType = (v: unknown) => String(sanitize(v, 'number')); +const handleNumberType = (v: unknown) => + String(sanitize(v, 'number', { modifierType: 'sql' })); -const handleStringType = (v: unknown) => sanitize(v, 'string'); +const handleStringType = (v: unknown) => + sanitize(v, 'string', { modifierType: 'sql' }); const MAP_TO_VAR_TYPE: Record< AnvilDataFenceParameterType, @@ -46,9 +48,12 @@ export const createFence: RequestHandler< return response.status(500).send(); } - const agent = sanitize(rAgent, 'string'); - const name = sanitize(rName, 'string'); - const fenceUuid = sanitize(rUuid, 'string', { fallback: uuid() }); + const agent = sanitize(rAgent, 'string', { modifierType: 'sql' }); + const name = sanitize(rName, 'string', { modifierType: 'sql' }); + const fenceUuid = sanitize(rUuid, 'string', { + fallback: uuid(), + modifierType: 'sql', + }); const { [agent]: agentSpec } = fenceSpec; diff --git a/striker-ui-api/src/lib/sanitizeSQLParam.ts b/striker-ui-api/src/lib/sanitizeSQLParam.ts index 4c8d43ae..dd679381 100644 --- a/striker-ui-api/src/lib/sanitizeSQLParam.ts +++ b/striker-ui-api/src/lib/sanitizeSQLParam.ts @@ -1,2 +1,2 @@ export const sanitizeSQLParam = (variable: string): string => - variable.replace(/[']/g, ''); + variable.replace(/'/g, `''`);