From 496a178eb31d9f942eb01895124575a6dc715786 Mon Sep 17 00:00:00 2001
From: Wang Yan <wangyan@vmware.com>
Date: Tue, 9 Feb 2021 17:42:29 +0800
Subject: [PATCH] fix quota dao sql injection

Signed-off-by: Wang Yan <wangyan@vmware.com>
---
 src/pkg/quota/dao/util.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/pkg/quota/dao/util.go b/src/pkg/quota/dao/util.go
index 561582e33..129660367 100644
--- a/src/pkg/quota/dao/util.go
+++ b/src/pkg/quota/dao/util.go
@@ -17,6 +17,7 @@ package dao
 import (
 	"encoding/json"
 	"fmt"
+	"github.com/lib/pq"
 	"strings"
 
 	"github.com/goharbor/harbor/src/lib/orm"
@@ -104,7 +105,7 @@ func listOrderBy(query *q.Query) string {
 				if strings.HasPrefix(sort, prefix) {
 					resource := strings.TrimPrefix(sort, prefix)
 					if types.IsValidResource(types.ResourceName(resource)) {
-						field := fmt.Sprintf("%s->>'%s'", strings.TrimSuffix(prefix, "."), resource)
+						field := fmt.Sprintf("%s->>%s", strings.TrimSuffix(prefix, "."), pq.QuoteLiteral(resource))
 						orderBy = fmt.Sprintf("(%s) %s", castQuantity(field), order)
 						break
 					}