feat(sql): SQL Injection
This commit is contained in:
Björn Benouarets
@@ -5,67 +5,24 @@ import (
|
||||
"strings"
|
||||
|
||||
"git.secnex.io/secnex/pgson/schema"
|
||||
"git.secnex.io/secnex/pgson/utils"
|
||||
"git.secnex.io/secnex/pgson/sql"
|
||||
)
|
||||
|
||||
func InsertManySQL(s *schema.Table, data []map[string]any, returning bool) (string, error) {
|
||||
if s == nil || len(data) == 0 {
|
||||
return "", fmt.Errorf("invalid input: no table or data provided")
|
||||
func Insert(s *schema.Table) (*string, error) {
|
||||
if err := sql.ValidateIdent(s.Name); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if !utils.IsValidIdentifier(s.Name) {
|
||||
return "", fmt.Errorf("invalid table name: %q", s.Name)
|
||||
}
|
||||
var cols, values []string
|
||||
|
||||
columnNames := make([]string, 0, len(data[0]))
|
||||
for column := range data[0] {
|
||||
if !utils.IsValidIdentifier(column) {
|
||||
return "", fmt.Errorf("invalid column name: %q", column)
|
||||
for _, f := range s.Schema {
|
||||
if err := sql.ValidateIdent(f.Name); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
columnNames = append(columnNames, column)
|
||||
cols = append(cols, sql.QuoteIdent(f.Name))
|
||||
values = append(values, "?")
|
||||
}
|
||||
|
||||
columns := make([]string, len(columnNames))
|
||||
for i, col := range columnNames {
|
||||
columns[i] = utils.SQLQuoteIdent(col)
|
||||
}
|
||||
|
||||
fieldMap := make(map[string]*schema.Field)
|
||||
for i := range s.Schema {
|
||||
fieldMap[s.Schema[i].Name] = &s.Schema[i]
|
||||
}
|
||||
|
||||
values := make([]string, len(data))
|
||||
for i, row := range data {
|
||||
rowValues := make([]string, len(columnNames))
|
||||
for j, colName := range columnNames {
|
||||
value := row[colName]
|
||||
|
||||
if field, exists := fieldMap[colName]; exists && field.Type == "hash" && field.Algorithm != nil {
|
||||
valueStr := fmt.Sprintf("%v", value)
|
||||
hashed, err := utils.Hash(valueStr, *field.Algorithm)
|
||||
if err != nil {
|
||||
return "", fmt.Errorf("hashing error for column %q: %w", colName, err)
|
||||
}
|
||||
value = hashed
|
||||
}
|
||||
|
||||
rowValues[j] = utils.SQLQuoteValue(value)
|
||||
}
|
||||
values[i] = fmt.Sprintf("(%s)", strings.Join(rowValues, ", "))
|
||||
}
|
||||
|
||||
query := fmt.Sprintf("INSERT INTO %s (%s) VALUES %s", utils.SQLQuoteIdent(s.Name), strings.Join(columns, ", "), strings.Join(values, ", "))
|
||||
if returning {
|
||||
if !utils.IsValidIdentifier(s.PrimaryKey) {
|
||||
return "", fmt.Errorf("invalid primary key column: %q", s.PrimaryKey)
|
||||
}
|
||||
query += " RETURNING " + utils.SQLQuoteIdent(s.PrimaryKey)
|
||||
}
|
||||
|
||||
return query, nil
|
||||
}
|
||||
|
||||
func InsertSQL(s *schema.Table, data map[string]any, returning bool) (string, error) {
|
||||
return InsertManySQL(s, []map[string]any{data}, returning)
|
||||
dmlParts := fmt.Sprintf(sql.DML_INSERT_INTO, sql.QuoteIdent(s.Name), strings.Join(cols, ", "), strings.Join(values, ", "))
|
||||
return &dmlParts, nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user