From 4769a82bbd2f0956ba3ee16cbef62a74f8c52b00 Mon Sep 17 00:00:00 2001 From: Alexandr Dubovikov Date: Tue, 7 Jan 2025 12:56:16 +0100 Subject: [PATCH] Fix code scanning alert no. 9: Database query built from user-controlled sources Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- data/service/userSettings.go | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-) diff --git a/data/service/userSettings.go b/data/service/userSettings.go index cb750edb..8dd49e2b 100644 --- a/data/service/userSettings.go +++ b/data/service/userSettings.go @@ -167,17 +167,20 @@ func (ss *UserSettingsService) Add(userObject *model.TableUserSettings) (string, func (ss *UserSettingsService) Get(userObject *model.TableUserSettings, UserName string, isAdmin bool) (model.TableUserSettings, error) { data := model.TableUserSettings{} - var sqlWhere = make(map[string]interface{}) + var sqlWhere string + var args []interface{} if !isAdmin { - sqlWhere = map[string]interface{}{"guid": userObject.GUID, "username": UserName} + sqlWhere = "guid = ? AND username = ?" + args = append(args, userObject.GUID, UserName) } else { - sqlWhere = map[string]interface{}{"guid": userObject.GUID} + sqlWhere = "guid = ?" + args = append(args, userObject.GUID) } if err := ss.Session.Debug(). Table("user_settings"). - Where(sqlWhere).Find(&data).Error; err != nil { + Where(sqlWhere, args...).Find(&data).Error; err != nil { return data, err } return data, nil @@ -187,18 +190,20 @@ func (ss *UserSettingsService) Get(userObject *model.TableUserSettings, UserName // it doesn't check internally whether all the validation are applied or not func (ss *UserSettingsService) Delete(userObject *model.TableUserSettings, UserName string, isAdmin bool) error { - var sqlWhere = make(map[string]interface{}) + var sqlWhere string + var args []interface{} if !isAdmin { - sqlWhere = map[string]interface{}{"guid": userObject.GUID, "username": UserName} + sqlWhere = "guid = ? AND username = ?" + args = append(args, userObject.GUID, UserName) } else { - sqlWhere = map[string]interface{}{"guid": userObject.GUID} + sqlWhere = "guid = ?" + args = append(args, userObject.GUID) } if err := ss.Session.Debug(). Table("user_settings"). - Where(sqlWhere). - Delete(model.TableUserSettings{}).Error; err != nil { + Where(sqlWhere, args...).Delete(model.TableUserSettings{}).Error; err != nil { return err } return nil @@ -208,19 +213,22 @@ func (ss *UserSettingsService) Delete(userObject *model.TableUserSettings, UserN // it doesn't check internally whether all the validation are applied or not func (ss *UserSettingsService) Update(userObject *model.TableUserSettings, UserName string, isAdmin bool) error { - var sqlWhere = make(map[string]interface{}) + var sqlWhere string + var args []interface{} if !isAdmin { - sqlWhere = map[string]interface{}{"guid": userObject.GUID, "username": UserName} + sqlWhere = "guid = ? AND username = ?" + args = append(args, userObject.GUID, UserName) } else { - sqlWhere = map[string]interface{}{"guid": userObject.GUID} + sqlWhere = "guid = ?" + args = append(args, userObject.GUID) } if err := ss.Session.Debug(). Table("user_settings"). Debug(). Model(&model.TableUserSettings{}). - Where(sqlWhere).Update(userObject).Error; err != nil { + Where(sqlWhere, args...).Update(userObject).Error; err != nil { return err } return nil