mirror of
				https://github.com/NodeBB/NodeBB.git
				synced 2025-10-26 16:46:12 +01:00 
			
		
		
		
	fix: sql injection in sortedSetScan
This commit is contained in:
		| @@ -707,9 +707,9 @@ SELECT z."value", | |||||||
|          ON o."_key" = z."_key" |          ON o."_key" = z."_key" | ||||||
|         AND o."type" = z."type" |         AND o."type" = z."type" | ||||||
|  WHERE o."_key" = $1::TEXT |  WHERE o."_key" = $1::TEXT | ||||||
|   AND z."value" LIKE '${match}' |   AND z."value" LIKE $3 | ||||||
|   LIMIT $2::INTEGER`, |   LIMIT $2::INTEGER`, | ||||||
| 			values: [params.key, params.limit], | 			values: [params.key, params.limit, match], | ||||||
| 		}); | 		}); | ||||||
| 		if (!params.withScores) { | 		if (!params.withScores) { | ||||||
| 			return res.rows.map(r => r.value); | 			return res.rows.map(r => r.value); | ||||||
|   | |||||||
| @@ -78,6 +78,21 @@ describe('Sorted Set methods', () => { | |||||||
| 			assert(data.includes('ddb')); | 			assert(data.includes('ddb')); | ||||||
| 			assert(data.includes('adb')); | 			assert(data.includes('adb')); | ||||||
| 		}); | 		}); | ||||||
|  |  | ||||||
|  | 		it('should not error with invalid input', async () => { | ||||||
|  | 			const query = `-3217' | ||||||
|  | OR 1251=CAST((CHR(113)||CHR(98)||CHR(118)||CHR(98)||CHR(113))||(SELECT | ||||||
|  | (CASE WHEN (1251=1251) THEN 1 ELSE 0 | ||||||
|  | END))::text||(CHR(113)||CHR(113)||CHR(118)||CHR(98)||CHR(113)) AS | ||||||
|  | NUMERIC)-- WsPn&query[cid]=-1&parentCid=0&selectedCids[]=-1&privilege=topics:read&states[]=watching&states[]=tracking&states[]=notwatching&showLinks=`; | ||||||
|  | 			const match = `*${query.toLowerCase()}*`; | ||||||
|  | 			const data = await db.getSortedSetScan({ | ||||||
|  | 				key: 'categories:name', | ||||||
|  | 				match: match, | ||||||
|  | 				limit: 500, | ||||||
|  | 			}); | ||||||
|  | 			assert.strictEqual(data.length, 0); | ||||||
|  | 		}); | ||||||
| 	}); | 	}); | ||||||
|  |  | ||||||
| 	describe('sortedSetAdd()', () => { | 	describe('sortedSetAdd()', () => { | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user