Mirrors/unleash.unleash
1
0
Fork 0
mirror of https://github.com/Unleash/unleash.git synced 2024-12-22 19:07:54 +01:00
Code Issues Projects Releases Wiki Activity

chore: move sort order validation closer to store due to possible SQL injection (#5322)

Browse Source
This commit is contained in:
Jaanus Sellin 2023-11-13 12:43:12 +02:00 committed by GitHub
parent 00327c359d
commit 5782efa6c0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/lib/features/feature-toggle/feature-toggle-strategies-store.ts
View File

@ -537,6 +537,9 @@ class FeatureStrategiesStore implements IFeatureStrategiesStore {
const normalizedFullTag = tag?.filter((tag) => tag.length === 2); const normalizedFullTag = tag?.filter((tag) => tag.length === 2);
const normalizedHalfTag = tag?.filter((tag) => tag.length === 1).flat(); const normalizedHalfTag = tag?.filter((tag) => tag.length === 1).flat();
const validatedSortOrder =
sortOrder === 'asc' || sortOrder === 'desc' ? sortOrder : 'asc';
let environmentCount = 1; let environmentCount = 1;
if (projectId) { if (projectId) {
const rows = await this.db('project_environments') const rows = await this.db('project_environments')
@ -702,20 +705,21 @@ class FeatureStrategiesStore implements IFeatureStrategiesStore {
type: 'type', type: 'type',
lastSeenAt: 'env_last_seen_at', lastSeenAt: 'env_last_seen_at',
}; };
if (sortBy.startsWith('environment:')) { if (sortBy.startsWith('environment:')) {
const [, envName] = sortBy.split(':'); const [, envName] = sortBy.split(':');
query = query query = query
.orderByRaw( .orderByRaw(
`CASE WHEN feature_environments.environment = ? THEN feature_environments.enabled ELSE NULL END ${sortOrder}`, `CASE WHEN feature_environments.environment = ? THEN feature_environments.enabled ELSE NULL END ${validatedSortOrder}`,
[envName], [envName],
) )
.orderBy('created_at', 'asc'); .orderBy('created_at', 'asc');
} else if (sortByMapping[sortBy]) { } else if (sortByMapping[sortBy]) {
query = query query = query
.orderBy(sortByMapping[sortBy], sortOrder) .orderBy(sortByMapping[sortBy], validatedSortOrder)
.orderBy('created_at', 'asc'); .orderBy('created_at', 'asc');
} else { } else {
query = query.orderBy('created_at', sortOrder); query = query.orderBy('created_at', validatedSortOrder);
} }
const total = await countQuery const total = await countQuery