From dc9b1a1d6a0fe7ad2e18597cb46f3874736b4b40 Mon Sep 17 00:00:00 2001 From: Jonathan Date: Wed, 4 Oct 2017 15:54:42 -0400 Subject: Parameterized post ids to avoid possible sql injection (#7575) --- store/sqlstore/post_store.go | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) (limited to 'store/sqlstore/post_store.go') diff --git a/store/sqlstore/post_store.go b/store/sqlstore/post_store.go index fb82dd724..b3e0bdbb0 100644 --- a/store/sqlstore/post_store.go +++ b/store/sqlstore/post_store.go @@ -10,6 +10,7 @@ import ( "strconv" "strings" + "bytes" l4g "github.com/alecthomas/log4go" "github.com/mattermost/mattermost-server/einterfaces" "github.com/mattermost/mattermost-server/model" @@ -1297,12 +1298,22 @@ func (s SqlPostStore) GetPostsByIds(postIds []string) store.StoreChannel { go func() { result := store.StoreResult{} - inClause := `'` + strings.Join(postIds, `', '`) + `'` + keys := bytes.Buffer{} + params := make(map[string]interface{}) + for i, postId := range postIds { + if keys.Len() > 0 { + keys.WriteString(",") + } + + key := "Post" + strconv.Itoa(i) + keys.WriteString(":" + key) + params[key] = postId + } - query := `SELECT * FROM Posts WHERE Id in (` + inClause + `) and DeleteAt = 0 ORDER BY CreateAt DESC` + query := `SELECT * FROM Posts WHERE Id in (` + keys.String() + `) and DeleteAt = 0 ORDER BY CreateAt DESC` var posts []*model.Post - _, err := s.GetReplica().Select(&posts, query, map[string]interface{}{}) + _, err := s.GetReplica().Select(&posts, query, params) if err != nil { l4g.Error(err) -- cgit v1.2.3-1-g7c22