Elgato_dark/fleet
1
0
Fork 0
mirror of https://github.com/fleetdm/fleet synced 2026-05-23 08:58:41 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 111

Sanitize OrderKey (#3128)

Browse source
This commit is contained in:
Tomas Touceda 2021-11-29 18:03:19 -03:00 committed by GitHub
parent a51225f3a5
commit c82a8e8428
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
server/datastore/mysql/mysql.go
View file

@ -504,12 +504,14 @@ func appendListOptionsToSQL(sql string, opts fleet.ListOptions) string {
}
func appendListOptionsWithCursorToSQL(sql string, params []interface{}, opts fleet.ListOptions) (string, []interface{}) {
if opts.After != "" && opts.OrderKey != "" {
orderKey := sanitizeColumn(opts.OrderKey)
if opts.After != "" && orderKey != "" {
afterSql := " WHERE "
if strings.Contains(strings.ToLower(sql), "where") {
afterSql = " AND "
}
if strings.HasSuffix(opts.OrderKey, "id") {
if strings.HasSuffix(orderKey, "id") {
i, _ := strconv.Atoi(opts.After)
params = append(params, i)
} else {
@ -519,18 +521,17 @@ func appendListOptionsWithCursorToSQL(sql string, params []interface{}, opts fle
if opts.OrderDirection == fleet.OrderDescending {
direction = "<" // DESC
}
sql = fmt.Sprintf("%s %s %s %s ?", sql, afterSql, opts.OrderKey, direction)
sql = fmt.Sprintf("%s %s %s %s ?", sql, afterSql, orderKey, direction)
// After existing supersedes Page, so we disable it
opts.Page = 0
}
if opts.OrderKey != "" {
if orderKey != "" {
direction := "ASC"
if opts.OrderDirection == fleet.OrderDescending {
direction = "DESC"
}
orderKey := sanitizeColumn(opts.OrderKey)
sql = fmt.Sprintf("%s ORDER BY %s %s", sql, orderKey, direction)
}