wdevs/ResolveSpec
5
0
Fork 0
mirror of https://github.com/bitechdev/ResolveSpec.git synced 2026-04-05 15:36:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix(sql_helpers): ensure case-insensitive matching for allowed prefixes

Browse Source
This commit is contained in:
Hein
2026-03-25 10:57:42 +02:00
parent 22a4ab345a
commit f10bb0827e
1 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/common/sql_helpers.go
View File

@@ -168,16 +168,17 @@ func SanitizeWhereClause(where string, tableName string, options ...*RequestOpti
} }
// Build a set of allowed table prefixes (main table + preloaded relations) // Build a set of allowed table prefixes (main table + preloaded relations)
// Keys are stored lowercase for case-insensitive matching
allowedPrefixes := make(map[string]bool) allowedPrefixes := make(map[string]bool)
if tableName != "" { if tableName != "" {
allowedPrefixes[tableName] = true allowedPrefixes[strings.ToLower(tableName)] = true
} }
// Add preload relation names as allowed prefixes // Add preload relation names as allowed prefixes
if len(options) > 0 && options[0] != nil { if len(options) > 0 && options[0] != nil {
for pi := range options[0].Preload { for pi := range options[0].Preload {
if options[0].Preload[pi].Relation != "" { if options[0].Preload[pi].Relation != "" {
allowedPrefixes[options[0].Preload[pi].Relation] = true allowedPrefixes[strings.ToLower(options[0].Preload[pi].Relation)] = true
logger.Debug("Added preload relation '%s' as allowed table prefix", options[0].Preload[pi].Relation) logger.Debug("Added preload relation '%s' as allowed table prefix", options[0].Preload[pi].Relation)
} }
} }
@@ -185,7 +186,7 @@ func SanitizeWhereClause(where string, tableName string, options ...*RequestOpti
// Add join aliases as allowed prefixes // Add join aliases as allowed prefixes
for _, alias := range options[0].JoinAliases { for _, alias := range options[0].JoinAliases {
if alias != "" { if alias != "" {
allowedPrefixes[alias] = true allowedPrefixes[strings.ToLower(alias)] = true
logger.Debug("Added join alias '%s' as allowed table prefix", alias) logger.Debug("Added join alias '%s' as allowed table prefix", alias)
} }
} }
@@ -217,8 +218,8 @@ func SanitizeWhereClause(where string, tableName string, options ...*RequestOpti
currentPrefix, columnName := extractTableAndColumn(condToCheck) currentPrefix, columnName := extractTableAndColumn(condToCheck)
if currentPrefix != "" && columnName != "" { if currentPrefix != "" && columnName != "" {
// Check if the prefix is allowed (main table or preload relation) // Check if the prefix is allowed (main table or preload relation) - case-insensitive
if !allowedPrefixes[currentPrefix] { if !allowedPrefixes[strings.ToLower(currentPrefix)] {
// Prefix is not in the allowed list - only fix if it's a valid column in the main table // Prefix is not in the allowed list - only fix if it's a valid column in the main table
if validColumns == nil || isValidColumn(columnName, validColumns) { if validColumns == nil || isValidColumn(columnName, validColumns) {
// Replace the incorrect prefix with the correct main table name // Replace the incorrect prefix with the correct main table name