mirror of
https://github.com/bitechdev/ResolveSpec.git
synced 2026-05-15 16:25:20 +00:00
fix(funcspec): remove AllowQueryParamFilters and related logic
Some checks failed
Build , Vet Test, and Lint / Run Vet Tests (1.24.x) (push) Successful in -26m44s
Build , Vet Test, and Lint / Run Vet Tests (1.23.x) (push) Successful in -26m26s
Build , Vet Test, and Lint / Build (push) Successful in -34m6s
Build , Vet Test, and Lint / Lint Code (push) Successful in -32m6s
Tests / Integration Tests (push) Failing after -34m50s
Tests / Unit Tests (push) Successful in -30m42s
Some checks failed
Build , Vet Test, and Lint / Run Vet Tests (1.24.x) (push) Successful in -26m44s
Build , Vet Test, and Lint / Run Vet Tests (1.23.x) (push) Successful in -26m26s
Build , Vet Test, and Lint / Build (push) Successful in -34m6s
Build , Vet Test, and Lint / Lint Code (push) Successful in -32m6s
Tests / Integration Tests (push) Failing after -34m50s
Tests / Unit Tests (push) Successful in -30m42s
* Simplify SqlQueryOptions by removing AllowQueryParamFilters * Update mergeQueryParams to avoid applying filters for JSON arguments * Add tests for sqlStripStringLiterals and query param handling
This commit is contained in:
Hein
@@ -28,18 +28,16 @@ type Handler struct {
|
||||
}
|
||||
|
||||
type SqlQueryOptions struct {
|
||||
NoCount bool
|
||||
BlankParams bool
|
||||
AllowFilter bool
|
||||
AllowQueryParamFilters bool
|
||||
NoCount bool
|
||||
BlankParams bool
|
||||
AllowFilter bool
|
||||
}
|
||||
|
||||
func NewSqlQueryOptions() SqlQueryOptions {
|
||||
return SqlQueryOptions{
|
||||
NoCount: false,
|
||||
BlankParams: true,
|
||||
AllowFilter: true,
|
||||
AllowQueryParamFilters: false,
|
||||
NoCount: false,
|
||||
BlankParams: true,
|
||||
AllowFilter: true,
|
||||
}
|
||||
}
|
||||
|
||||
@@ -140,11 +138,6 @@ func (h *Handler) SqlQueryList(sqlquery string, options SqlQueryOptions) HTTPFun
|
||||
// Merge query string parameters
|
||||
sqlquery = h.mergeQueryParams(r, sqlquery, variables, options.AllowFilter, propQry)
|
||||
|
||||
// Apply p_-prefixed query params as field filters
|
||||
if options.AllowQueryParamFilters {
|
||||
sqlquery = h.applyQueryParamFilters(r, sqlquery)
|
||||
}
|
||||
|
||||
// Merge header parameters
|
||||
sqlquery = h.mergeHeaderParams(r, sqlquery, variables, propQry, &complexAPI)
|
||||
|
||||
@@ -488,11 +481,6 @@ func (h *Handler) SqlQuery(sqlquery string, options SqlQueryOptions) HTTPFuncTyp
|
||||
// Merge query string parameters
|
||||
sqlquery = h.mergeQueryParams(r, sqlquery, variables, false, propQry)
|
||||
|
||||
// Apply p_-prefixed query params as field filters
|
||||
if options.AllowQueryParamFilters {
|
||||
sqlquery = h.applyQueryParamFilters(r, sqlquery)
|
||||
}
|
||||
|
||||
// Merge header parameters
|
||||
sqlquery = h.mergeHeaderParams(r, sqlquery, variables, propQry, &complexAPI)
|
||||
hookCtx.ComplexAPI = complexAPI
|
||||
@@ -741,8 +729,9 @@ func (h *Handler) mergeQueryParams(r *http.Request, sqlquery string, variables m
|
||||
propQry[parmk] = val
|
||||
}
|
||||
|
||||
// Apply filters if allowed
|
||||
if allowFilter && len(parmk) > 1 && strings.Contains(strings.ToLower(sqlquery), strings.ToLower(parmk)) {
|
||||
// Apply filters if allowed — check against string-literal-stripped SQL to avoid
|
||||
// matching column names that only appear inside quoted arguments (e.g. JSON strings)
|
||||
if allowFilter && len(parmk) > 1 && strings.Contains(strings.ToLower(sqlStripStringLiterals(sqlquery)), strings.ToLower(parmk)) {
|
||||
if len(parmv) > 1 {
|
||||
// Sanitize each value in the IN clause with appropriate quoting
|
||||
sanitizedValues := make([]string, len(parmv))
|
||||
@@ -858,35 +847,6 @@ func sqlStripStringLiterals(sql string) string {
|
||||
return re.ReplaceAllString(sql, "''")
|
||||
}
|
||||
|
||||
// applyQueryParamFilters applies query parameters as SQL field filters when the param name
|
||||
// appears as a structural identifier in the SQL (not inside a string literal).
|
||||
// e.g. ?rid_parent=0 → (rid_parent = 0 OR rid_parent IS NULL)
|
||||
func (h *Handler) applyQueryParamFilters(r *http.Request, sqlquery string) string {
|
||||
sqlStructure := strings.ToLower(sqlStripStringLiterals(sqlquery))
|
||||
for parmk, parmv := range r.URL.Query() {
|
||||
if len(parmv) == 0 || !strings.Contains(sqlStructure, strings.ToLower(parmk)) {
|
||||
continue
|
||||
}
|
||||
val := parmv[0]
|
||||
dec, err := restheadspec.DecodeParam(val)
|
||||
if err == nil {
|
||||
val = dec
|
||||
}
|
||||
col := ValidSQL(parmk, "colname")
|
||||
switch {
|
||||
case val == "0":
|
||||
sqlquery = sqlQryWhere(sqlquery, fmt.Sprintf("(%[1]s = 0 OR %[1]s IS NULL)", col))
|
||||
case val == "":
|
||||
sqlquery = sqlQryWhere(sqlquery, fmt.Sprintf("(%[1]s = '' OR %[1]s IS NULL)", col))
|
||||
case IsNumeric(val):
|
||||
sqlquery = sqlQryWhere(sqlquery, fmt.Sprintf("%s = %s", col, ValidSQL(val, "colvalue")))
|
||||
default:
|
||||
sqlquery = sqlQryWhere(sqlquery, fmt.Sprintf("%s = '%s'", col, ValidSQL(val, "colvalue")))
|
||||
}
|
||||
}
|
||||
return sqlquery
|
||||
}
|
||||
|
||||
// replaceMetaVariables replaces meta variables like [rid_user], [user], etc. in the SQL query
|
||||
func (h *Handler) replaceMetaVariables(sqlquery string, r *http.Request, userCtx *security.UserContext, metainfo map[string]interface{}, variables map[string]interface{}) string {
|
||||
if strings.Contains(sqlquery, "[p_meta_default]") {
|
||||
|
||||
Reference in New Issue
Block a user