fix quota dao sql injection

Signed-off-by: Wang Yan <wangyan@vmware.com>
2024-11-22 18:25:56 +01:00 · 2021-02-09 17:42:29 +08:00 · 2021-02-09 17:42:29 +08:00 · 496a178eb3
commit 496a178eb3
parent 21d35f9702
1 changed files with 2 additions and 1 deletions
--- a/src/pkg/quota/dao/util.go
+++ b/src/pkg/quota/dao/util.go
@ -17,6 +17,7 @@ package dao
 import (
 	"encoding/json"
 	"fmt"
+	"github.com/lib/pq"
 	"strings"

 	"github.com/goharbor/harbor/src/lib/orm"
@ -104,7 +105,7 @@ func listOrderBy(query *q.Query) string {
 				if strings.HasPrefix(sort, prefix) {
 					resource := strings.TrimPrefix(sort, prefix)
 					if types.IsValidResource(types.ResourceName(resource)) {
-						field := fmt.Sprintf("%s->>'%s'", strings.TrimSuffix(prefix, "."), resource)
+						field := fmt.Sprintf("%s->>%s", strings.TrimSuffix(prefix, "."), pq.QuoteLiteral(resource))
 						orderBy = fmt.Sprintf("(%s) %s", castQuantity(field), order)
 						break
 					}