long-agent/user-system
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: P0-01 prevent LIKE injection in operation_log and device repos

Browse Source 
- operation_log.go Search(): add escapeLikePattern + ESCAPE clause
- device.go ListAllCursor(): add escapeLikePattern + ESCAPE clause

The ESCAPE clause is required for SQLite to properly interpret
backslash as an escape character.
This commit is contained in:
long-agent
2026-04-18 13:06:44 +08:00
parent b6f330fe7d
commit 32a3d4c9e0
2 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
internal/repository/device.go
View File

@@ -275,8 +275,9 @@ func (r *DeviceRepository) ListAllCursor(ctx context.Context, params *ListDevice
query = query.Where("is_trusted = ?", *params.IsTrusted)
}
if params.Keyword != "" {
search := "%" + params.Keyword + "%"
query = query.Where("device_name LIKE ? OR ip LIKE ? OR location LIKE ?", search, search, search)
escapedKeyword := escapeLikePattern(params.Keyword)
pattern := "%" + escapedKeyword + "%"
query = query.Where("device_name LIKE ? ESCAPE '\\' OR ip LIKE ? ESCAPE '\\' OR location LIKE ? ESCAPE '\\'", pattern, pattern, pattern)
}
// Apply cursor condition for keyset navigation