Skip to content

Commit

Permalink
Merge pull request #589 from sipcapture/alert-autofix-9
Browse files Browse the repository at this point in the history 
Fix code scanning alert no. 9: Database query built from user-controlled sources
  • Loading branch information
@adubovikov
adubovikov authored Jan 7, 2025
2 parents 5d9073d + 4769a82 commit 522f234
Showing 1 changed file with 21 additions and 13 deletions.
34 changes: 21 additions & 13 deletions data/service/userSettings.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -167,17 +167,20 @@ func (ss *UserSettingsService) Add(userObject *model.TableUserSettings) (string,
func (ss *UserSettingsService) Get(userObject *model.TableUserSettings, UserName string, isAdmin bool) (model.TableUserSettings, error) {
data := model.TableUserSettings{}

var sqlWhere = make(map[string]interface{})
var sqlWhere string
var args []interface{}

if !isAdmin {
sqlWhere = map[string]interface{}{"guid": userObject.GUID, "username": UserName}
sqlWhere = "guid = ? AND username = ?"
args = append(args, userObject.GUID, UserName)
} else {
sqlWhere = map[string]interface{}{"guid": userObject.GUID}
sqlWhere = "guid = ?"
args = append(args, userObject.GUID)
}

if err := ss.Session.Debug().
Table("user_settings").
Where(sqlWhere).Find(&data).Error; err != nil {
Where(sqlWhere, args...).Find(&data).Error; err != nil {
return data, err
}
return data, nil
Expand All @@ -187,18 +190,20 @@ func (ss *UserSettingsService) Get(userObject *model.TableUserSettings, UserName
// it doesn't check internally whether all the validation are applied or not
func (ss *UserSettingsService) Delete(userObject *model.TableUserSettings, UserName string, isAdmin bool) error {

var sqlWhere = make(map[string]interface{})
var sqlWhere string
var args []interface{}

if !isAdmin {
sqlWhere = map[string]interface{}{"guid": userObject.GUID, "username": UserName}
sqlWhere = "guid = ? AND username = ?"
args = append(args, userObject.GUID, UserName)
} else {
sqlWhere = map[string]interface{}{"guid": userObject.GUID}
sqlWhere = "guid = ?"
args = append(args, userObject.GUID)
}

if err := ss.Session.Debug().
Table("user_settings").
Where(sqlWhere).
Delete(model.TableUserSettings{}).Error; err != nil {
Where(sqlWhere, args...).Delete(model.TableUserSettings{}).Error; err != nil {
return err
}
return nil
Expand All @@ -208,19 +213,22 @@ func (ss *UserSettingsService) Delete(userObject *model.TableUserSettings, UserN
// it doesn't check internally whether all the validation are applied or not
func (ss *UserSettingsService) Update(userObject *model.TableUserSettings, UserName string, isAdmin bool) error {

var sqlWhere = make(map[string]interface{})
var sqlWhere string
var args []interface{}

if !isAdmin {
sqlWhere = map[string]interface{}{"guid": userObject.GUID, "username": UserName}
sqlWhere = "guid = ? AND username = ?"
args = append(args, userObject.GUID, UserName)
} else {
sqlWhere = map[string]interface{}{"guid": userObject.GUID}
sqlWhere = "guid = ?"
args = append(args, userObject.GUID)
}

if err := ss.Session.Debug().
Table("user_settings").
Debug().
Model(&model.TableUserSettings{}).
Where(sqlWhere).Update(userObject).Error; err != nil {
Where(sqlWhere, args...).Update(userObject).Error; err != nil {
return err
}
return nil
Expand Down

0 comments on commit 522f234

Please sign in to comment.