From c1b3c2358cd4ad20220b5b4eafb6f805a4f30378 Mon Sep 17 00:00:00 2001
From: "oskar.herrmann" <oskar.herrmann@vogel.de>
Date: Wed, 11 Dec 2024 17:13:14 +0100
Subject: [PATCH] Remove unused import, add import, sanitize sql var

---
 .../Privilege/Node/Doctrine/ConditionGenerator.php    |  1 -
 .../Doctrine/DescendantOfTypeConditionGenerator.php   | 11 ++++++++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/Doctrine/ConditionGenerator.php b/Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/Doctrine/ConditionGenerator.php
index 68139980e3..25555cc823 100644
--- a/Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/Doctrine/ConditionGenerator.php
+++ b/Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/Doctrine/ConditionGenerator.php
@@ -18,7 +18,6 @@
 use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\ConditionGenerator as EntityConditionGenerator;
 use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\DisjunctionGenerator;
 use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\PropertyConditionGenerator;
-use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\DecendantOfNodetypeConditionGenerator;
 use Neos\Flow\Security\Exception\InvalidPrivilegeException;
 use Neos\ContentRepository\Domain\Model\NodeData;
 use Neos\ContentRepository\Domain\Model\NodeInterface;
diff --git a/Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/Doctrine/DescendantOfTypeConditionGenerator.php b/Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/Doctrine/DescendantOfTypeConditionGenerator.php
index 28d30c3c30..26a2912647 100644
--- a/Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/Doctrine/DescendantOfTypeConditionGenerator.php
+++ b/Neos.ContentRepository/Classes/Security/Authorization/Privilege/Node/Doctrine/DescendantOfTypeConditionGenerator.php
@@ -13,6 +13,7 @@
 
 use Doctrine\Persistence\Mapping\ClassMetadata;
 use Doctrine\ORM\Query\Filter\SQLFilter as DoctrineSqlFilter;
+use Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\SqlGeneratorInterface;
 
 /**
  * A SQL generator to create a condition matching a node underneath a certain node type
@@ -39,7 +40,15 @@ public function __construct(array $nodetypes)
      */
     public function getSql(DoctrineSqlFilter $sqlFilter, ClassMetadata $targetEntity, $targetTableAlias)
     {
-        $nodetypeList = implode("','", $this->nodetypes);
+
+        $nodetypes = array_map('trim', $this->nodetypes);
+
+        $safeNodetypes = [];
+        foreach ($nodetypes as $nodetype) {
+            $safeNodetypes[] = str_replace(["'", "`"],"", $nodetype);
+        }
+
+        $nodetypeList = implode("','", $safeNodetypes);
 
         return "select * from public.neos_contentrepository_domain_model_nodedata n1
         JOIN public.neos_contentrepository_domain_model_nodedata n2 ON n1.path LIKE CONCAT(n2.path, '%')