Merge pull request #14220 from wy65701436/fix-codeql-quota

fix quota dao sql injection
2021-02-10 10:34:54 +08:00 · 2021-02-10 10:34:54 +08:00 · 51c8375425
parent 76c493b67d 496a178eb3
commit 51c8375425
1 changed files with 2 additions and 1 deletions
--- a/src/pkg/quota/dao/util.go
+++ b/src/pkg/quota/dao/util.go
@ -17,6 +17,7 @@ package dao
 import (
 	"encoding/json"
 	"fmt"
+	"github.com/lib/pq"
 	"strings"

 	"github.com/goharbor/harbor/src/lib/orm"
@ -104,7 +105,7 @@ func listOrderBy(query *q.Query) string {
 				if strings.HasPrefix(sort, prefix) {
 					resource := strings.TrimPrefix(sort, prefix)
 					if types.IsValidResource(types.ResourceName(resource)) {
-						field := fmt.Sprintf("%s->>'%s'", strings.TrimSuffix(prefix, "."), resource)
+						field := fmt.Sprintf("%s->>%s", strings.TrimSuffix(prefix, "."), pq.QuoteLiteral(resource))
 						orderBy = fmt.Sprintf("(%s) %s", castQuantity(field), order)
 						break
 					}