fix(striker-ui-api): correct escape single quote in SQL inputs

main
Tsu-ba-me 1 year ago
parent 6ceaaf5ec6
commit e9f89baba3
  1. 15
      striker-ui-api/src/lib/request_handlers/fence/createFence.ts
  2. 2
      striker-ui-api/src/lib/sanitizeSQLParam.ts

@ -7,9 +7,11 @@ import { getFenceSpec, timestamp, write } from '../../accessModule';
import { sanitize } from '../../sanitize'; import { sanitize } from '../../sanitize';
import { stderr, stdoutVar, uuid } from '../../shell'; import { stderr, stdoutVar, uuid } from '../../shell';
const handleNumberType = (v: unknown) => String(sanitize(v, 'number')); const handleNumberType = (v: unknown) =>
String(sanitize(v, 'number', { modifierType: 'sql' }));
const handleStringType = (v: unknown) => sanitize(v, 'string'); const handleStringType = (v: unknown) =>
sanitize(v, 'string', { modifierType: 'sql' });
const MAP_TO_VAR_TYPE: Record< const MAP_TO_VAR_TYPE: Record<
AnvilDataFenceParameterType, AnvilDataFenceParameterType,
@ -46,9 +48,12 @@ export const createFence: RequestHandler<
return response.status(500).send(); return response.status(500).send();
} }
const agent = sanitize(rAgent, 'string'); const agent = sanitize(rAgent, 'string', { modifierType: 'sql' });
const name = sanitize(rName, 'string'); const name = sanitize(rName, 'string', { modifierType: 'sql' });
const fenceUuid = sanitize(rUuid, 'string', { fallback: uuid() }); const fenceUuid = sanitize(rUuid, 'string', {
fallback: uuid(),
modifierType: 'sql',
});
const { [agent]: agentSpec } = fenceSpec; const { [agent]: agentSpec } = fenceSpec;

@ -1,2 +1,2 @@
export const sanitizeSQLParam = (variable: string): string => export const sanitizeSQLParam = (variable: string): string =>
variable.replace(/[']/g, ''); variable.replace(/'/g, `''`);

Loading…
Cancel
Save