long-agent/user-system
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: P0-01 prevent LIKE injection in operation_log and device repos

Browse Source 
- operation_log.go Search(): add escapeLikePattern + ESCAPE clause
- device.go ListAllCursor(): add escapeLikePattern + ESCAPE clause

The ESCAPE clause is required for SQLite to properly interpret
backslash as an escape character.
This commit is contained in:
long-agent
2026-04-18 13:06:44 +08:00
parent b6f330fe7d
commit 32a3d4c9e0
2 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
internal/repository/operation_log.go
View File

@@ -101,9 +101,12 @@ func (r *OperationLogRepository) DeleteOlderThan(ctx context.Context, days int)
func (r *OperationLogRepository) Search(ctx context.Context, keyword string, offset, limit int) ([]*domain.OperationLog, int64, error) {
var logs []*domain.OperationLog
var total int64
// 转义 LIKE 特殊字符,防止搜索被意外干扰
escapedKeyword := escapeLikePattern(keyword)
pattern := "%" + escapedKeyword + "%"
query := r.db.WithContext(ctx).Model(&domain.OperationLog{}).
Where("operation_name LIKE ? OR request_path LIKE ? OR operation_type LIKE ?",
"%"+keyword+"%", "%"+keyword+"%", "%"+keyword+"%")
Where("operation_name LIKE ? ESCAPE '\\' OR request_path LIKE ? ESCAPE '\\' OR operation_type LIKE ? ESCAPE '\\'",
pattern, pattern, pattern)
if err := query.Count(&total).Error; err != nil {
return nil, 0, err
}