Merge pull request #1100 from ywk253100/161116_sql_wildcard

Escapse % and _ in sql
2024-09-30 06:18:02 +02:00 · 2016-11-18 13:17:49 +08:00 · 2016-11-18 13:17:49 +08:00 · 64b3c7f261
commit 64b3c7f261
parent fcdb212cb0 a64891103d
10 changed files with 21 additions and 14 deletions
--- a/src/common/dao/accesslog.go
+++ b/src/common/dao/accesslog.go
@ -55,7 +55,7 @@ func GetTotalOfAccessLogs(query models.AccessLog) (int64, error) {
 			left join user u 
 			on al.user_id = u.user_id 
 			where al.project_id = ? and u.username like ? `
-		queryParam = append(queryParam, "%"+query.Username+"%")
+		queryParam = append(queryParam, "%"+escape(query.Username)+"%")
 	}

 	sql += genFilterClauses(query, &queryParam)
@ -82,7 +82,7 @@ func GetAccessLogs(query models.AccessLog, limit, offset int64) ([]models.Access

 	if query.Username != "" {
 		sql += ` and u.username like ? `
-		queryParam = append(queryParam, "%"+query.Username+"%")
+		queryParam = append(queryParam, "%"+escape(query.Username)+"%")
 	}

 	sql += genFilterClauses(query, &queryParam)
--- a/src/common/dao/base.go
+++ b/src/common/dao/base.go
@ -17,6 +17,7 @@ package dao

 import (
 	"fmt"
+	"strings"
 	"sync"

 	"github.com/astaxie/beego/orm"
@ -77,3 +78,9 @@ func GetOrmer() orm.Ormer {
 func paginateForRawSQL(sql string, limit, offset int64) string {
 	return fmt.Sprintf("%s limit %d offset %d", sql, limit, offset)
 }
+
+func escape(str string) string {
+	str = strings.Replace(str, `%`, `\%`, -1)
+	str = strings.Replace(str, `_`, `\_`, -1)
+	return str
+}
--- a/src/common/dao/dao_test.go
+++ b/src/common/dao/dao_test.go
@ -705,7 +705,7 @@ func TestGetProjectById(t *testing.T) {
 func TestGetUserByProject(t *testing.T) {
 	pid := currentProject.ProjectID
 	u1 := models.User{
-		Username: "%%Tester%%",
+		Username: "Tester",
 	}
 	u2 := models.User{
 		Username: "nononono",
--- a/src/common/dao/project.go
+++ b/src/common/dao/project.go
@ -195,7 +195,7 @@ func GetTotalOfUserRelevantProjects(userID int, projectName string) (int64, erro
 	queryParam = append(queryParam, userID)
 	if projectName != "" {
 		sql += " and p.name like ? "
-		queryParam = append(queryParam, "%"+projectName+"%")
+		queryParam = append(queryParam, "%"+escape(projectName)+"%")
 	}

 	var total int64
@ -254,7 +254,7 @@ func getProjects(userID int, name string, args ...int64) ([]models.Project, erro

 	if name != "" {
 		sql += ` and p.name like ? `
-		queryParam = append(queryParam, "%"+name+"%")
+		queryParam = append(queryParam, "%"+escape(name)+"%")
 	}

 	switch len(args) {
--- a/src/common/dao/projectmember.go
+++ b/src/common/dao/projectmember.go
@ -71,7 +71,7 @@ func GetUserByProject(projectID int64, queryUser models.User) ([]models.User, er

 	if queryUser.Username != "" {
 		sql += " and u.username like ? "
-		queryParam = append(queryParam, queryUser.Username)
+		queryParam = append(queryParam, "%"+escape(queryUser.Username)+"%")
 	}
 	sql += ` order by u.user_id `
 	_, err := o.Raw(sql, queryParam).QueryRows(&u)
--- a/src/common/dao/replication_job.go
+++ b/src/common/dao/replication_job.go
@ -90,7 +90,7 @@ func FilterRepTargets(name string) ([]*models.RepTarget, error) {
 	sql := `select * from replication_target `
 	if len(name) != 0 {
 		sql += `where name like ? `
-		args = append(args, "%"+name+"%")
+		args = append(args, "%"+escape(name)+"%")
 	}
 	sql += `order by creation_time`

@ -166,11 +166,11 @@ func FilterRepPolicies(name string, projectID int64) ([]*models.RepPolicy, error

 	if len(name) != 0 && projectID != 0 {
 		sql += `and rp.name like ? and rp.project_id = ? `
-		args = append(args, "%"+name+"%")
+		args = append(args, "%"+escape(name)+"%")
 		args = append(args, projectID)
 	} else if len(name) != 0 {
 		sql += `and rp.name like ? `
-		args = append(args, "%"+name+"%")
+		args = append(args, "%"+escape(name)+"%")
 	} else if projectID != 0 {
 		sql += `and rp.project_id = ? `
 		args = append(args, projectID)
--- a/src/common/dao/repository.go
+++ b/src/common/dao/repository.go
@ -138,7 +138,7 @@ func GetTotalOfPublicRepositories(name string) (int64, error) {
 		on r.project_id = p.project_id and p.public = 1 `
 	if len(name) != 0 {
 		sql += ` where r.name like ?`
-		params = append(params, "%"+name+"%")
+		params = append(params, "%"+escape(name)+"%")
 	}

 	var total int64
@ -162,7 +162,7 @@ func GetTotalOfUserRelevantRepositories(userID int, name string) (int64, error)
 	params = append(params, userID)
 	if len(name) != 0 {
 		sql += ` where r.name like ?`
-		params = append(params, "%"+name+"%")
+		params = append(params, "%"+escape(name)+"%")
 	}

 	var total int64
--- a/src/common/dao/user.go
+++ b/src/common/dao/user.go
@ -101,7 +101,7 @@ func ListUsers(query models.User) ([]models.User, error) {
 	queryParam := make([]interface{}, 1)
 	if query.Username != "" {
 		sql += ` and username like ? `
-		queryParam = append(queryParam, query.Username)
+		queryParam = append(queryParam, "%"+escape(query.Username)+"%")
 	}
 	sql += ` order by user_id desc `

--- a/src/ui/api/member.go
+++ b/src/ui/api/member.go
@ -85,7 +85,7 @@ func (pma *ProjectMemberAPI) Get() {
 	}
 	if pma.memberID == 0 { //member id not set return list of the members
 		username := pma.GetString("username")
-		queryUser := models.User{Username: "%" + username + "%"}
+		queryUser := models.User{Username: username}
 		userList, err := dao.GetUserByProject(pid, queryUser)
 		if err != nil {
 			log.Errorf("Failed to query database for member list, error: %v", err)
--- a/src/ui/api/user.go
+++ b/src/ui/api/user.go
@ -102,7 +102,7 @@ func (ua *UserAPI) Get() {
 		username := ua.GetString("username")
 		userQuery := models.User{}
 		if len(username) > 0 {
-			userQuery.Username = "%" + username + "%"
+			userQuery.Username = username
 		}
 		userList, err := dao.ListUsers(userQuery)
 		if err != nil {