Prevent low-risk SQL injection from roomId values when entered into the config (#1619)

Christian Paul · Half-Shot · web-flow · commit 179313a37f06 · 2022-09-26T12:12:24.000+01:00
* Prevent SQL injection from roomId values when checking room visibility

* Add newsfile

* Update newsfile

* Update 1619.bugfix

Co-authored-by: Will Hunt &lt;will@half-shot.uk&gt;
diff --git a/changelog.d/1619.bugfix b/changelog.d/1619.bugfix
@@ -0,0 +1 @@
+Prevent possible attack by provisisioning a room with a specific roomID.
diff --git a/src/datastore/postgres/PgDataStore.ts b/src/datastore/postgres/PgDataStore.ts
@@ -661,8 +661,9 @@ export class PgDataStore implements DataStore {
 
     public async getRoomsVisibility(roomIds: string[]) {
         const map: {[roomId: string]: "public"|"private"} = {};
-        const list = `('${roomIds.join("','")}')`;
-        const res = await this.pgPool.query(`SELECT room_id, visibility FROM room_visibility WHERE room_id IN ${list}`);
+        const res = await this.pgPool.query("SELECT room_id, visibility FROM room_visibility WHERE room_id IN $1", [
+            roomIds,
+        ]);
         for (const row of res.rows) {
             map[row.room_id] = row.visibility ? "public" : "private";
         }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Prevent possible attack by provisisioning a room with a specific roomID.`