Skip to content

Commit f3906f9

Browse files
kripanshdevtronkripanshdevtron
committed
sql injection fixes
1 parent 47843d9 commit f3906f9

1 file changed

Lines changed: 51 additions & 26 deletions

File tree

pkg/auth/user/repository/UserAuthRepository.go

Lines changed: 51 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -946,39 +946,46 @@ func (impl UserAuthRepositoryImpl) GetRolesForWorkflow(workflow, entityName stri
946946
func (impl UserAuthRepositoryImpl) GetRoleForClusterEntity(cluster, namespace, group, kind, resource, action string) (RoleModel, error) {
947947
var model RoleModel
948948
query := "SELECT * FROM roles WHERE entity = ? "
949+
var queryParams []string
949950
var err error
950951

951952
if len(cluster) > 0 {
952-
query += " and cluster='" + cluster + "' "
953+
query += " and cluster = ? "
954+
queryParams = append(queryParams, cluster)
953955
} else {
954956
query += " and cluster IS NULL "
955957
}
956958
if len(namespace) > 0 {
957-
query += " and namespace='" + namespace + "' "
959+
query += " and namespace = ? "
960+
queryParams = append(queryParams, namespace)
958961
} else {
959962
query += " and namespace IS NULL "
960963
}
961964
if len(group) > 0 {
962-
query += " and \"group\"='" + group + "' "
965+
query += " and \"group\"= ? "
966+
queryParams = append(queryParams, group)
963967
} else {
964968
query += " and \"group\" IS NULL "
965969
}
966970
if len(kind) > 0 {
967-
query += " and kind='" + kind + "' "
971+
query += " and kind = ? "
972+
queryParams = append(queryParams, kind)
968973
} else {
969974
query += " and kind IS NULL "
970975
}
971976
if len(resource) > 0 {
972-
query += " and resource='" + resource + "' "
977+
query += " and resource = ? "
978+
queryParams = append(queryParams, resource)
973979
} else {
974980
query += " and resource IS NULL "
975981
}
976982
if len(action) > 0 {
977-
query += " and action='" + action + "' ;"
983+
query += " and action = ? ;"
984+
queryParams = append(queryParams, action)
978985
} else {
979986
query += " and action IS NULL ;"
980987
}
981-
_, err = impl.dbConnection.Query(&model, query, bean.CLUSTER_ENTITIY)
988+
_, err = impl.dbConnection.Query(&model, query, bean.CLUSTER_ENTITIY, queryParams)
982989
if err != nil {
983990
impl.Logger.Errorw("error in getting roles for clusterEntity", "err", err,
984991
bean2.CLUSTER, cluster, "namespace", namespace, "kind", kind, "group", group, "resource", resource)
@@ -990,24 +997,28 @@ func (impl UserAuthRepositoryImpl) GetRoleForClusterEntity(cluster, namespace, g
990997
func (impl UserAuthRepositoryImpl) GetRoleForJobsEntity(entity, team, app, env, act string, workflow string) (RoleModel, error) {
991998
var model RoleModel
992999
var err error
1000+
var queryParams []string
9931001
if len(team) > 0 && len(act) > 0 {
9941002
query := "SELECT role.* FROM roles role WHERE role.team = ? AND role.action=? AND role.entity=? "
9951003
if len(env) == 0 {
9961004
query = query + " AND role.environment is NULL"
9971005
} else {
998-
query += "AND role.environment='" + env + "'"
1006+
query += "AND role.environment = ? "
1007+
queryParams = append(queryParams, env)
9991008
}
10001009
if len(app) == 0 {
10011010
query = query + " AND role.entity_name is NULL"
10021011
} else {
1003-
query += " AND role.entity_name='" + app + "'"
1012+
query += " AND role.entity_name = ? "
1013+
queryParams = append(queryParams, app)
10041014
}
10051015
if len(workflow) == 0 {
10061016
query = query + " AND role.workflow is NULL;"
10071017
} else {
1008-
query += " AND role.workflow='" + workflow + "';"
1018+
query += " AND role.workflow = ? ;"
1019+
queryParams = append(queryParams, workflow)
10091020
}
1010-
_, err = impl.dbConnection.Query(&model, query, team, act, entity)
1021+
_, err = impl.dbConnection.Query(&model, query, team, act, entity, queryParams)
10111022
} else {
10121023
return model, nil
10131024
}
@@ -1021,21 +1032,25 @@ func (impl UserAuthRepositoryImpl) GetRoleForChartGroupEntity(entity, app, act,
10211032
var model RoleModel
10221033
var err error
10231034
if len(app) > 0 && act == "update" {
1035+
var queryParams []string
10241036
query := "SELECT role.* FROM roles role WHERE role.entity = ? AND role.entity_name=? AND role.action=?"
10251037
if len(accessType) == 0 {
10261038
query = query + " and role.access_type is NULL"
10271039
} else {
1028-
query += " and role.access_type='" + accessType + "'"
1040+
query += " and role.access_type = ? "
1041+
queryParams = append(queryParams, accessType)
10291042
}
1030-
_, err = impl.dbConnection.Query(&model, query, entity, app, act)
1043+
_, err = impl.dbConnection.Query(&model, query, entity, app, act, queryParams)
10311044
} else if app == "" {
1045+
var queryParams []string
10321046
query := "SELECT role.* FROM roles role WHERE role.entity = ? AND role.action=?"
10331047
if len(accessType) == 0 {
10341048
query = query + " and role.access_type is NULL"
10351049
} else {
1036-
query += " and role.access_type='" + accessType + "'"
1050+
query += " and role.access_type = ? "
1051+
queryParams = append(queryParams, accessType)
10371052
}
1038-
_, err = impl.dbConnection.Query(&model, query, entity, act)
1053+
_, err = impl.dbConnection.Query(&model, query, entity, act, queryParams)
10391054
}
10401055
if err != nil {
10411056
impl.Logger.Errorw("error in getting role for chart group entity", "err", err, "entity", entity, "app", app, "act", act, "accessType", accessType)
@@ -1047,52 +1062,62 @@ func (impl UserAuthRepositoryImpl) GetRoleForOtherEntity(team, app, env, act, ac
10471062
var model RoleModel
10481063
var err error
10491064
if len(team) > 0 && len(app) > 0 && len(env) > 0 && len(act) > 0 {
1065+
var queryParams []string
10501066
query := "SELECT role.* FROM roles role WHERE role.team = ? AND role.entity_name=? AND role.environment=? AND role.action=?"
10511067
if oldValues {
10521068
query = query + " and role.access_type is NULL"
10531069
} else {
1054-
query += " and role.access_type='" + accessType + "'"
1070+
query += " and role.access_type = ? "
1071+
queryParams = append(queryParams, accessType)
10551072
}
10561073

1057-
_, err = impl.dbConnection.Query(&model, query, team, app, env, act)
1074+
_, err = impl.dbConnection.Query(&model, query, team, app, env, act, queryParams)
10581075
} else if len(team) > 0 && app == "" && len(env) > 0 && len(act) > 0 {
1059-
1076+
var queryParams []string
10601077
query := "SELECT role.* FROM roles role WHERE role.team=? AND coalesce(role.entity_name,'')=? AND role.environment=? AND role.action=?"
10611078
if oldValues {
10621079
query = query + " and role.access_type is NULL"
10631080
} else {
1064-
query += " and role.access_type='" + accessType + "'"
1081+
query += " and role.access_type = ? "
1082+
queryParams = append(queryParams, accessType)
10651083
}
1066-
_, err = impl.dbConnection.Query(&model, query, team, EMPTY_PLACEHOLDER_FOR_QUERY, env, act)
1084+
_, err = impl.dbConnection.Query(&model, query, team, EMPTY_PLACEHOLDER_FOR_QUERY, env, act, queryParams)
10671085
} else if len(team) > 0 && len(app) > 0 && env == "" && len(act) > 0 {
1086+
var queryParams []string
10681087
//this is applicable for all environment of a team
10691088
query := "SELECT role.* FROM roles role WHERE role.team = ? AND role.entity_name=? AND coalesce(role.environment,'')=? AND role.action=?"
10701089
if oldValues {
10711090
query = query + " and role.access_type is NULL"
10721091
} else {
1073-
query += " and role.access_type='" + accessType + "'"
1092+
query += " and role.access_type = ? "
1093+
queryParams = append(queryParams, accessType)
10741094
}
10751095

1076-
_, err = impl.dbConnection.Query(&model, query, team, app, EMPTY_PLACEHOLDER_FOR_QUERY, act)
1096+
_, err = impl.dbConnection.Query(&model, query, team, app, EMPTY_PLACEHOLDER_FOR_QUERY, act, queryParams)
10771097
} else if len(team) > 0 && app == "" && env == "" && len(act) > 0 {
1098+
var queryParams []string
10781099
//this is applicable for all environment of a team
10791100
query := "SELECT role.* FROM roles role WHERE role.team = ? AND coalesce(role.entity_name,'')=? AND coalesce(role.environment,'')=? AND role.action=?"
10801101
if oldValues {
10811102
query = query + " and role.access_type is NULL"
10821103
} else {
1083-
query += " and role.access_type='" + accessType + "'"
1104+
query += " and role.access_type = ? "
1105+
queryParams = append(queryParams, accessType)
10841106
}
10851107

1086-
_, err = impl.dbConnection.Query(&model, query, team, EMPTY_PLACEHOLDER_FOR_QUERY, EMPTY_PLACEHOLDER_FOR_QUERY, act)
1108+
_, err = impl.dbConnection.Query(&model, query, team, EMPTY_PLACEHOLDER_FOR_QUERY, EMPTY_PLACEHOLDER_FOR_QUERY, act, queryParams)
10871109
} else if team == "" && app == "" && env == "" && len(act) > 0 {
1110+
var queryParams []string
10881111
//this is applicable for super admin, all env, all team, all app
10891112
query := "SELECT role.* FROM roles role WHERE coalesce(role.team,'') = ? AND coalesce(role.entity_name,'')=? AND coalesce(role.environment,'')=? AND role.action=?"
10901113
if len(accessType) == 0 {
10911114
query = query + " and role.access_type is NULL"
10921115
} else {
1093-
query += " and role.access_type='" + accessType + "'"
1116+
query += " and role.access_type = ? "
1117+
queryParams = append(queryParams, accessType)
1118+
10941119
}
1095-
_, err = impl.dbConnection.Query(&model, query, EMPTY_PLACEHOLDER_FOR_QUERY, EMPTY_PLACEHOLDER_FOR_QUERY, EMPTY_PLACEHOLDER_FOR_QUERY, act)
1120+
_, err = impl.dbConnection.Query(&model, query, EMPTY_PLACEHOLDER_FOR_QUERY, EMPTY_PLACEHOLDER_FOR_QUERY, EMPTY_PLACEHOLDER_FOR_QUERY, act, queryParams)
10961121
} else if team == "" && app == "" && env == "" && act == "" {
10971122
return model, nil
10981123
} else {

0 commit comments

Comments
 (0)