1
0
mirror of https://github.com/Unleash/unleash.git synced 2024-12-22 19:07:54 +01:00

chore: move sort order validation closer to store due to possible SQL injection (#5322)

This commit is contained in:
Jaanus Sellin 2023-11-13 12:43:12 +02:00 committed by GitHub
parent 00327c359d
commit 5782efa6c0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -537,6 +537,9 @@ class FeatureStrategiesStore implements IFeatureStrategiesStore {
const normalizedFullTag = tag?.filter((tag) => tag.length === 2);
const normalizedHalfTag = tag?.filter((tag) => tag.length === 1).flat();
const validatedSortOrder =
sortOrder === 'asc' || sortOrder === 'desc' ? sortOrder : 'asc';
let environmentCount = 1;
if (projectId) {
const rows = await this.db('project_environments')
@ -702,20 +705,21 @@ class FeatureStrategiesStore implements IFeatureStrategiesStore {
type: 'type',
lastSeenAt: 'env_last_seen_at',
};
if (sortBy.startsWith('environment:')) {
const [, envName] = sortBy.split(':');
query = query
.orderByRaw(
`CASE WHEN feature_environments.environment = ? THEN feature_environments.enabled ELSE NULL END ${sortOrder}`,
`CASE WHEN feature_environments.environment = ? THEN feature_environments.enabled ELSE NULL END ${validatedSortOrder}`,
[envName],
)
.orderBy('created_at', 'asc');
} else if (sortByMapping[sortBy]) {
query = query
.orderBy(sortByMapping[sortBy], sortOrder)
.orderBy(sortByMapping[sortBy], validatedSortOrder)
.orderBy('created_at', 'asc');
} else {
query = query.orderBy('created_at', sortOrder);
query = query.orderBy('created_at', validatedSortOrder);
}
const total = await countQuery