Escape the values to contains operator in dao packages (#13774)

fixes #13018

Signed-off-by: Daniel Jiang <jiangd@vmware.com>
This commit is contained in:
Daniel Jiang 2020-12-16 14:19:20 +08:00 committed by GitHub
parent 488d802a2b
commit 3b04d2f8f5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 6 additions and 3 deletions

View File

@ -71,7 +71,7 @@ func getLabelQuerySetter(query *models.LabelQuery) orm.QuerySeter {
qs := GetOrmer().QueryTable(&models.Label{}) qs := GetOrmer().QueryTable(&models.Label{})
if len(query.Name) > 0 { if len(query.Name) > 0 {
if query.FuzzyMatchName { if query.FuzzyMatchName {
qs = qs.Filter("Name__icontains", query.Name) qs = qs.Filter("Name__icontains", Escape(query.Name))
} else { } else {
qs = qs.Filter("Name", query.Name) qs = qs.Filter("Name", query.Name)
} }

View File

@ -143,7 +143,7 @@ func snakeCase(str string) string {
func queryByColumn(qs orm.QuerySeter, key string, value interface{}) orm.QuerySeter { func queryByColumn(qs orm.QuerySeter, key string, value interface{}) orm.QuerySeter {
// fuzzy match // fuzzy match
if f, ok := value.(*q.FuzzyMatchValue); ok { if f, ok := value.(*q.FuzzyMatchValue); ok {
return qs.Filter(key+"__icontains", f.Value) return qs.Filter(key+"__icontains", Escape(f.Value))
} }
// range // range

View File

@ -106,6 +106,9 @@ func ListRegistrations(query *q.Query) ([]*Registration, error) {
qt = qt.Filter(kk, v) qt = qt.Filter(kk, v)
continue continue
} }
if s, ok := v.(string); ok {
v = liborm.Escape(s)
}
qt = qt.Filter(fmt.Sprintf("%s__icontains", k), v) qt = qt.Filter(fmt.Sprintf("%s__icontains", k), v)
} }

View File

@ -41,7 +41,7 @@ func GetPolicies(queries ...*model.PolicyQuery) (int64, []*models.RepPolicy, err
query := queries[0] query := queries[0]
if len(query.Name) != 0 { if len(query.Name) != 0 {
qs = qs.Filter("Name__icontains", query.Name) qs = qs.Filter("Name__icontains", common_dao.Escape(query.Name))
} }
if len(query.Namespace) != 0 { if len(query.Namespace) != 0 {
// TODO: Namespace filter not implemented yet // TODO: Namespace filter not implemented yet