Skip to content

Commit 1540271

Browse files
kripanshdevtronkripanshdevtron
authored
fix: sql injection fixes (#5783)
* sql injection fixes * query param init fix
1 parent fd90dfb commit 1540271

File tree

1 file changed

+60
-26
lines changed

1 file changed

+60
-26
lines changed

pkg/auth/user/repository/UserAuthRepository.go

+60-26
Original file line numberDiff line numberDiff line change
@@ -945,40 +945,48 @@ func (impl UserAuthRepositoryImpl) GetRolesForWorkflow(workflow, entityName stri
945945

946946
func (impl UserAuthRepositoryImpl) GetRoleForClusterEntity(cluster, namespace, group, kind, resource, action string) (RoleModel, error) {
947947
var model RoleModel
948+
var queryParams []string
948949
query := "SELECT * FROM roles WHERE entity = ? "
950+
queryParams = append(queryParams, bean.CLUSTER_ENTITIY)
949951
var err error
950952

951953
if len(cluster) > 0 {
952-
query += " and cluster='" + cluster + "' "
954+
query += " and cluster = ? "
955+
queryParams = append(queryParams, cluster)
953956
} else {
954957
query += " and cluster IS NULL "
955958
}
956959
if len(namespace) > 0 {
957-
query += " and namespace='" + namespace + "' "
960+
query += " and namespace = ? "
961+
queryParams = append(queryParams, namespace)
958962
} else {
959963
query += " and namespace IS NULL "
960964
}
961965
if len(group) > 0 {
962-
query += " and \"group\"='" + group + "' "
966+
query += " and \"group\"= ? "
967+
queryParams = append(queryParams, group)
963968
} else {
964969
query += " and \"group\" IS NULL "
965970
}
966971
if len(kind) > 0 {
967-
query += " and kind='" + kind + "' "
972+
query += " and kind = ? "
973+
queryParams = append(queryParams, kind)
968974
} else {
969975
query += " and kind IS NULL "
970976
}
971977
if len(resource) > 0 {
972-
query += " and resource='" + resource + "' "
978+
query += " and resource = ? "
979+
queryParams = append(queryParams, resource)
973980
} else {
974981
query += " and resource IS NULL "
975982
}
976983
if len(action) > 0 {
977-
query += " and action='" + action + "' ;"
984+
query += " and action = ? ;"
985+
queryParams = append(queryParams, action)
978986
} else {
979987
query += " and action IS NULL ;"
980988
}
981-
_, err = impl.dbConnection.Query(&model, query, bean.CLUSTER_ENTITIY)
989+
_, err = impl.dbConnection.Query(&model, query, queryParams)
982990
if err != nil {
983991
impl.Logger.Errorw("error in getting roles for clusterEntity", "err", err,
984992
bean2.CLUSTER, cluster, "namespace", namespace, "kind", kind, "group", group, "resource", resource)
@@ -990,24 +998,29 @@ func (impl UserAuthRepositoryImpl) GetRoleForClusterEntity(cluster, namespace, g
990998
func (impl UserAuthRepositoryImpl) GetRoleForJobsEntity(entity, team, app, env, act string, workflow string) (RoleModel, error) {
991999
var model RoleModel
9921000
var err error
1001+
var queryParams []string
9931002
if len(team) > 0 && len(act) > 0 {
9941003
query := "SELECT role.* FROM roles role WHERE role.team = ? AND role.action=? AND role.entity=? "
1004+
queryParams = append(queryParams, team, act, entity)
9951005
if len(env) == 0 {
9961006
query = query + " AND role.environment is NULL"
9971007
} else {
998-
query += "AND role.environment='" + env + "'"
1008+
query += "AND role.environment = ? "
1009+
queryParams = append(queryParams, env)
9991010
}
10001011
if len(app) == 0 {
10011012
query = query + " AND role.entity_name is NULL"
10021013
} else {
1003-
query += " AND role.entity_name='" + app + "'"
1014+
query += " AND role.entity_name = ? "
1015+
queryParams = append(queryParams, app)
10041016
}
10051017
if len(workflow) == 0 {
10061018
query = query + " AND role.workflow is NULL;"
10071019
} else {
1008-
query += " AND role.workflow='" + workflow + "';"
1020+
query += " AND role.workflow = ? ;"
1021+
queryParams = append(queryParams, workflow)
10091022
}
1010-
_, err = impl.dbConnection.Query(&model, query, team, act, entity)
1023+
_, err = impl.dbConnection.Query(&model, query, queryParams)
10111024
} else {
10121025
return model, nil
10131026
}
@@ -1021,21 +1034,27 @@ func (impl UserAuthRepositoryImpl) GetRoleForChartGroupEntity(entity, app, act,
10211034
var model RoleModel
10221035
var err error
10231036
if len(app) > 0 && act == "update" {
1037+
var queryParams []string
10241038
query := "SELECT role.* FROM roles role WHERE role.entity = ? AND role.entity_name=? AND role.action=?"
1039+
queryParams = append(queryParams, entity, app, act)
10251040
if len(accessType) == 0 {
10261041
query = query + " and role.access_type is NULL"
10271042
} else {
1028-
query += " and role.access_type='" + accessType + "'"
1043+
query += " and role.access_type = ? "
1044+
queryParams = append(queryParams, accessType)
10291045
}
1030-
_, err = impl.dbConnection.Query(&model, query, entity, app, act)
1046+
_, err = impl.dbConnection.Query(&model, query, queryParams)
10311047
} else if app == "" {
1048+
var queryParams []string
10321049
query := "SELECT role.* FROM roles role WHERE role.entity = ? AND role.action=?"
1050+
queryParams = append(queryParams, entity, act)
10331051
if len(accessType) == 0 {
10341052
query = query + " and role.access_type is NULL"
10351053
} else {
1036-
query += " and role.access_type='" + accessType + "'"
1054+
query += " and role.access_type = ? "
1055+
queryParams = append(queryParams, accessType)
10371056
}
1038-
_, err = impl.dbConnection.Query(&model, query, entity, act)
1057+
_, err = impl.dbConnection.Query(&model, query, queryParams)
10391058
}
10401059
if err != nil {
10411060
impl.Logger.Errorw("error in getting role for chart group entity", "err", err, "entity", entity, "app", app, "act", act, "accessType", accessType)
@@ -1047,52 +1066,67 @@ func (impl UserAuthRepositoryImpl) GetRoleForOtherEntity(team, app, env, act, ac
10471066
var model RoleModel
10481067
var err error
10491068
if len(team) > 0 && len(app) > 0 && len(env) > 0 && len(act) > 0 {
1069+
var queryParams []string
10501070
query := "SELECT role.* FROM roles role WHERE role.team = ? AND role.entity_name=? AND role.environment=? AND role.action=?"
1071+
queryParams = append(queryParams, team, app, env, act)
10511072
if oldValues {
10521073
query = query + " and role.access_type is NULL"
10531074
} else {
1054-
query += " and role.access_type='" + accessType + "'"
1075+
query += " and role.access_type = ? "
1076+
queryParams = append(queryParams, accessType)
10551077
}
10561078

1057-
_, err = impl.dbConnection.Query(&model, query, team, app, env, act)
1079+
_, err = impl.dbConnection.Query(&model, query, queryParams)
10581080
} else if len(team) > 0 && app == "" && len(env) > 0 && len(act) > 0 {
1059-
1081+
var queryParams []string
10601082
query := "SELECT role.* FROM roles role WHERE role.team=? AND coalesce(role.entity_name,'')=? AND role.environment=? AND role.action=?"
1083+
queryParams = append(queryParams, team, EMPTY_PLACEHOLDER_FOR_QUERY, env, act)
10611084
if oldValues {
10621085
query = query + " and role.access_type is NULL"
10631086
} else {
1064-
query += " and role.access_type='" + accessType + "'"
1087+
query += " and role.access_type = ? "
1088+
queryParams = append(queryParams, accessType)
10651089
}
1066-
_, err = impl.dbConnection.Query(&model, query, team, EMPTY_PLACEHOLDER_FOR_QUERY, env, act)
1090+
_, err = impl.dbConnection.Query(&model, query, queryParams)
10671091
} else if len(team) > 0 && len(app) > 0 && env == "" && len(act) > 0 {
1092+
var queryParams []string
10681093
//this is applicable for all environment of a team
10691094
query := "SELECT role.* FROM roles role WHERE role.team = ? AND role.entity_name=? AND coalesce(role.environment,'')=? AND role.action=?"
1095+
queryParams = append(queryParams, team, app, EMPTY_PLACEHOLDER_FOR_QUERY, act)
10701096
if oldValues {
10711097
query = query + " and role.access_type is NULL"
10721098
} else {
1073-
query += " and role.access_type='" + accessType + "'"
1099+
query += " and role.access_type = ? "
1100+
queryParams = append(queryParams, accessType)
10741101
}
10751102

1076-
_, err = impl.dbConnection.Query(&model, query, team, app, EMPTY_PLACEHOLDER_FOR_QUERY, act)
1103+
_, err = impl.dbConnection.Query(&model, query, queryParams)
10771104
} else if len(team) > 0 && app == "" && env == "" && len(act) > 0 {
1105+
var queryParams []string
10781106
//this is applicable for all environment of a team
10791107
query := "SELECT role.* FROM roles role WHERE role.team = ? AND coalesce(role.entity_name,'')=? AND coalesce(role.environment,'')=? AND role.action=?"
1108+
queryParams = append(queryParams, team, EMPTY_PLACEHOLDER_FOR_QUERY, EMPTY_PLACEHOLDER_FOR_QUERY, act)
10801109
if oldValues {
10811110
query = query + " and role.access_type is NULL"
10821111
} else {
1083-
query += " and role.access_type='" + accessType + "'"
1112+
query += " and role.access_type = ? "
1113+
queryParams = append(queryParams, accessType)
10841114
}
10851115

1086-
_, err = impl.dbConnection.Query(&model, query, team, EMPTY_PLACEHOLDER_FOR_QUERY, EMPTY_PLACEHOLDER_FOR_QUERY, act)
1116+
_, err = impl.dbConnection.Query(&model, query, queryParams)
10871117
} else if team == "" && app == "" && env == "" && len(act) > 0 {
1118+
var queryParams []string
10881119
//this is applicable for super admin, all env, all team, all app
10891120
query := "SELECT role.* FROM roles role WHERE coalesce(role.team,'') = ? AND coalesce(role.entity_name,'')=? AND coalesce(role.environment,'')=? AND role.action=?"
1121+
queryParams = append(queryParams, EMPTY_PLACEHOLDER_FOR_QUERY, EMPTY_PLACEHOLDER_FOR_QUERY, EMPTY_PLACEHOLDER_FOR_QUERY, act)
10901122
if len(accessType) == 0 {
10911123
query = query + " and role.access_type is NULL"
10921124
} else {
1093-
query += " and role.access_type='" + accessType + "'"
1125+
query += " and role.access_type = ? "
1126+
queryParams = append(queryParams, accessType)
1127+
10941128
}
1095-
_, err = impl.dbConnection.Query(&model, query, EMPTY_PLACEHOLDER_FOR_QUERY, EMPTY_PLACEHOLDER_FOR_QUERY, EMPTY_PLACEHOLDER_FOR_QUERY, act)
1129+
_, err = impl.dbConnection.Query(&model, query, queryParams)
10961130
} else if team == "" && app == "" && env == "" && act == "" {
10971131
return model, nil
10981132
} else {

0 commit comments

Comments
 (0)