Remove unused import, add import, sanitize sql var

Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/Doctrine/ConditionGenerator.php

@@ -18,7 +18,6 @@
 use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\ConditionGenerator as EntityConditionGenerator;
 use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\DisjunctionGenerator;
 use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\PropertyConditionGenerator;
-use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\DecendantOfNodetypeConditionGenerator;
 use Neos\Flow\Security\Exception\InvalidPrivilegeException;
 use Neos\ContentRepository\Domain\Model\NodeData;
 use Neos\ContentRepository\Domain\Model\NodeInterface;

Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/Doctrine/DescendantOfTypeConditionGenerator.php

@@ -13,6 +13,7 @@
 
 use Doctrine\Persistence\Mapping\ClassMetadata;
 use Doctrine\ORM\Query\Filter\SQLFilter as DoctrineSqlFilter;
+use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\SqlGeneratorInterface;
 
 /**
  * A SQL generator to create a condition matching a node underneath a certain node type
@@ -39,7 +40,15 @@ public function __construct(array $nodetypes)
      */
     public function getSql(DoctrineSqlFilter $sqlFilter, ClassMetadata $targetEntity, $targetTableAlias)
     {
-        $nodetypeList = implode("','", $this->nodetypes);
+
+        $nodetypes = array_map('trim', $this->nodetypes);
+
+        $safeNodetypes = [];
+        foreach ($nodetypes as $nodetype) {
+            $safeNodetypes[] = str_replace(["'", "`"],"", $nodetype);
+        }
+
+        $nodetypeList = implode("','", $safeNodetypes);
 
         return "select * from public.neos_contentrepository_domain_model_nodedata n1
         JOIN public.neos_contentrepository_domain_model_nodedata n2 ON n1.path LIKE CONCAT(n2.path, '%')