Skip to content

Commit

Permalink
fix: fix the SQL injection vulnerability in field filter (casdoor#442)
Browse files Browse the repository at this point in the history 
Signed-off-by: Yixiang Zhao <[email protected]>
  • Loading branch information
@seriouszyx
seriouszyx authored Jan 26, 2022
1 parent 0517523 commit 5ec0c7a
Show file tree
Hide file tree
Showing 14 changed files with 31 additions and 59 deletions.
11 changes: 8 additions & 3 deletions object/adapter.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -190,12 +190,17 @@ func (a *Adapter) createTable() {
}

func GetSession(owner string, offset, limit int, field, value, sortField, sortOrder string) *xorm.Session {
session := adapter.Engine.Limit(limit, offset).Where("1=1")
session := adapter.Engine.Prepare()
if offset != -1 && limit != -1 {
session.Limit(limit, offset)
}
if owner != "" {
session = session.And("owner=?", owner)
}
if field != "" && value != "" {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
if filterField(field) {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
}
}
if sortField == "" || sortOrder == "" {
sortField = "created_time"
Expand All @@ -206,4 +211,4 @@ func GetSession(owner string, offset, limit int, field, value, sortField, sortOr
session = session.Desc(util.SnakeString(sortField))
}
return session
}
}
5 changes: 1 addition & 4 deletions object/application.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,10 +56,7 @@ type Application struct {
}

func GetApplicationCount(owner, field, value string) int {
session := adapter.Engine.Where("owner=?", owner)
if field != "" && value != "" {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
}
session := GetSession(owner, -1, -1, field, value, "", "")
count, err := session.Count(&Application{})
if err != nil {
panic(err)
Expand Down
5 changes: 1 addition & 4 deletions object/cert.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,10 +53,7 @@ func GetMaskedCerts(certs []*Cert) []*Cert {
}

func GetCertCount(owner, field, value string) int {
session := adapter.Engine.Where("owner=?", owner)
if field != "" && value != "" {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
}
session := GetSession(owner, -1, -1, field, value, "", "")
count, err := session.Count(&Cert{})
if err != nil {
panic(err)
Expand Down
10 changes: 9 additions & 1 deletion object/check.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,10 +23,14 @@ import (
goldap "github.com/go-ldap/ldap/v3"
)

var reWhiteSpace *regexp.Regexp
var (
reWhiteSpace *regexp.Regexp
reFieldWhiteList *regexp.Regexp
)

func init() {
reWhiteSpace, _ = regexp.Compile(`\s`)
reFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
}

func CheckUserSignup(application *Application, organization *Organization, username string, password string, displayName string, email string, phone string, affiliation string) string {
Expand Down Expand Up @@ -179,3 +183,7 @@ func CheckUserPassword(organization string, username string, password string) (*

return user, ""
}

func filterField(field string) bool {
return reFieldWhiteList.MatchString(field)
}
7 changes: 1 addition & 6 deletions object/organization.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,6 @@
package object

import (
"fmt"

"github.com/casdoor/casdoor/cred"
"github.com/casdoor/casdoor/util"
"xorm.io/core"
Expand All @@ -39,10 +37,7 @@ type Organization struct {
}

func GetOrganizationCount(owner, field, value string) int {
session := adapter.Engine.Where("owner=?", owner)
if field != "" && value != "" {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
}
session := GetSession(owner, -1, -1, field, value, "", "")
count, err := session.Count(&Organization{})
if err != nil {
panic(err)
Expand Down
5 changes: 1 addition & 4 deletions object/permission.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,10 +39,7 @@ type Permission struct {
}

func GetPermissionCount(owner, field, value string) int {
session := adapter.Engine.Where("owner=?", owner)
if field != "" && value != "" {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
}
session := GetSession(owner, -1, -1, field, value, "", "")
count, err := session.Count(&Permission{})
if err != nil {
panic(err)
Expand Down
5 changes: 1 addition & 4 deletions object/provider.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,10 +81,7 @@ func GetMaskedProviders(providers []*Provider) []*Provider {
}

func GetProviderCount(owner, field, value string) int {
session := adapter.Engine.Where("owner=?", owner)
if field != "" && value != "" {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
}
session := GetSession(owner, -1, -1, field, value, "", "")
count, err := session.Count(&Provider{})
if err != nil {
panic(err)
Expand Down
5 changes: 1 addition & 4 deletions object/record.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -102,10 +102,7 @@ func AddRecord(record *Record) bool {
}

func GetRecordCount(field, value string) int {
session := adapter.Engine.Where("1=1")
if field != "" && value != "" {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
}
session := GetSession("", -1, -1, field, value, "", "")
count, err := session.Count(&Record{})
if err != nil {
panic(err)
Expand Down
7 changes: 2 additions & 5 deletions object/resource.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,11 +40,8 @@ type Resource struct {
}

func GetResourceCount(owner, user, field, value string) int {
session := adapter.Engine.Where("owner=? and user=?", owner, user)
if field != "" && value != "" {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
}
count, err := session.Count(&Resource{})
session := GetSession(owner, -1, -1, field, value, "", "")
count, err := session.Count(&Resource{User: user})
if err != nil {
panic(err)
}
Expand Down
5 changes: 1 addition & 4 deletions object/role.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,10 +33,7 @@ type Role struct {
}

func GetRoleCount(owner, field, value string) int {
session := adapter.Engine.Where("owner=?", owner)
if field != "" && value != "" {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
}
session := GetSession(owner, -1, -1, field, value, "", "")
count, err := session.Count(&Role{})
if err != nil {
panic(err)
Expand Down
5 changes: 1 addition & 4 deletions object/syncer.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,10 +56,7 @@ type Syncer struct {
}

func GetSyncerCount(owner, field, value string) int {
session := adapter.Engine.Where("owner=?", owner)
if field != "" && value != "" {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
}
session := GetSession(owner, -1, -1, field, value, "", "")
count, err := session.Count(&Syncer{})
if err != nil {
panic(err)
Expand Down
5 changes: 1 addition & 4 deletions object/token.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,10 +57,7 @@ type TokenWrapper struct {
}

func GetTokenCount(owner, field, value string) int {
session := adapter.Engine.Where("owner=?", owner)
if field != "" && value != "" {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
}
session := GetSession(owner, -1, -1, field, value, "", "")
count, err := session.Count(&Token{})
if err != nil {
panic(err)
Expand Down
10 changes: 2 additions & 8 deletions object/user.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,10 +89,7 @@ type User struct {
}

func GetGlobalUserCount(field, value string) int {
session := adapter.Engine.Where("1=1")
if field != "" && value != "" {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
}
session := GetSession("", -1, -1, field, value, "", "")
count, err := session.Count(&User{})
if err != nil {
panic(err)
Expand Down Expand Up @@ -123,10 +120,7 @@ func GetPaginationGlobalUsers(offset, limit int, field, value, sortField, sortOr
}

func GetUserCount(owner, field, value string) int {
session := adapter.Engine.Where("owner=?", owner)
if field != "" && value != "" {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
}
session := GetSession(owner, -1, -1, field, value, "", "")
count, err := session.Count(&User{})
if err != nil {
panic(err)
Expand Down
5 changes: 1 addition & 4 deletions object/webhook.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,10 +43,7 @@ type Webhook struct {
}

func GetWebhookCount(owner, field, value string) int {
session := adapter.Engine.Where("owner=?", owner)
if field != "" && value != "" {
session = session.And(fmt.Sprintf("%s like ?", util.SnakeString(field)), fmt.Sprintf("%%%s%%", value))
}
session := GetSession(owner, -1, -1, field, value, "", "")
count, err := session.Count(&Webhook{})
if err != nil {
panic(err)
Expand Down

0 comments on commit 5ec0c7a

Please sign in to comment.