fix: P0-01 prevent LIKE injection in operation_log and device repos
- operation_log.go Search(): add escapeLikePattern + ESCAPE clause - device.go ListAllCursor(): add escapeLikePattern + ESCAPE clause The ESCAPE clause is required for SQLite to properly interpret backslash as an escape character.
This commit is contained in:
@@ -275,8 +275,9 @@ func (r *DeviceRepository) ListAllCursor(ctx context.Context, params *ListDevice
|
|||||||
query = query.Where("is_trusted = ?", *params.IsTrusted)
|
query = query.Where("is_trusted = ?", *params.IsTrusted)
|
||||||
}
|
}
|
||||||
if params.Keyword != "" {
|
if params.Keyword != "" {
|
||||||
search := "%" + params.Keyword + "%"
|
escapedKeyword := escapeLikePattern(params.Keyword)
|
||||||
query = query.Where("device_name LIKE ? OR ip LIKE ? OR location LIKE ?", search, search, search)
|
pattern := "%" + escapedKeyword + "%"
|
||||||
|
query = query.Where("device_name LIKE ? ESCAPE '\\' OR ip LIKE ? ESCAPE '\\' OR location LIKE ? ESCAPE '\\'", pattern, pattern, pattern)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Apply cursor condition for keyset navigation
|
// Apply cursor condition for keyset navigation
|
||||||
|
|||||||
@@ -101,9 +101,12 @@ func (r *OperationLogRepository) DeleteOlderThan(ctx context.Context, days int)
|
|||||||
func (r *OperationLogRepository) Search(ctx context.Context, keyword string, offset, limit int) ([]*domain.OperationLog, int64, error) {
|
func (r *OperationLogRepository) Search(ctx context.Context, keyword string, offset, limit int) ([]*domain.OperationLog, int64, error) {
|
||||||
var logs []*domain.OperationLog
|
var logs []*domain.OperationLog
|
||||||
var total int64
|
var total int64
|
||||||
|
// 转义 LIKE 特殊字符,防止搜索被意外干扰
|
||||||
|
escapedKeyword := escapeLikePattern(keyword)
|
||||||
|
pattern := "%" + escapedKeyword + "%"
|
||||||
query := r.db.WithContext(ctx).Model(&domain.OperationLog{}).
|
query := r.db.WithContext(ctx).Model(&domain.OperationLog{}).
|
||||||
Where("operation_name LIKE ? OR request_path LIKE ? OR operation_type LIKE ?",
|
Where("operation_name LIKE ? ESCAPE '\\' OR request_path LIKE ? ESCAPE '\\' OR operation_type LIKE ? ESCAPE '\\'",
|
||||||
"%"+keyword+"%", "%"+keyword+"%", "%"+keyword+"%")
|
pattern, pattern, pattern)
|
||||||
if err := query.Count(&total).Error; err != nil {
|
if err := query.Count(&total).Error; err != nil {
|
||||||
return nil, 0, err
|
return nil, 0, err
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user