From 88e8ea8a6ab5bf0a49b76a6ea43a304e4c122b33 Mon Sep 17 00:00:00 2001 From: deepakrai9185720 Date: Fri, 4 Nov 2022 11:52:03 +0530 Subject: [PATCH 1/5] Changed query to accept user input in prepared sql statement --- warehouse/warehouse.go | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/warehouse/warehouse.go b/warehouse/warehouse.go index 79cba136e1..7a08ce7511 100644 --- a/warehouse/warehouse.go +++ b/warehouse/warehouse.go @@ -1807,16 +1807,19 @@ func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCou FROM %[1]s WHERE - %[1]s.%[3]s = '%[2]s'; + %[1]s.%[2]s = $1; `, warehouseutils.WarehouseUploadsTable, - sourceOrDestId, sourceOrDestColumn, ) - - err = dbHandle.QueryRow(sqlStatement).Scan(&lastStagingFileIDRes) + preparedSqlStatement, err := dbHandle.Prepare(sqlStatement) + if err != nil { + err = fmt.Errorf("query: %s preparation failed with Error: %w", strings.ReplaceAll(sqlStatement, "$1", sourceOrDestId), err) + return + } + err = preparedSqlStatement.QueryRow(sourceOrDestId).Scan(&lastStagingFileIDRes) if err != nil && err != sql.ErrNoRows { - err = fmt.Errorf("query: %s failed with Error : %w", sqlStatement, err) + err = fmt.Errorf("query: %s run failed with Error : %w", sqlStatement, err) return } lastStagingFileID := int64(0) @@ -1831,17 +1834,20 @@ func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCou %[1]s WHERE %[1]s.id > %[2]v - AND %[1]s.%[4]s = '%[3]s'; + AND %[1]s.%[3]s = $1; `, warehouseutils.WarehouseStagingFilesTable, lastStagingFileID, - sourceOrDestId, sourceOrDestColumn, ) - - err = dbHandle.QueryRow(sqlStatement).Scan(&fileCount) + preparedSqlStatement, err = dbHandle.Prepare(sqlStatement) + if err != nil { + err = fmt.Errorf("query: %s preparation failed with Error: %w", strings.ReplaceAll(sqlStatement, "$1", sourceOrDestId), err) + return + } + err = preparedSqlStatement.QueryRow(sourceOrDestId).Scan(&fileCount) if err != nil && err != sql.ErrNoRows { - err = fmt.Errorf("query: %s failed with Error : %w", sqlStatement, err) + err = fmt.Errorf("query: %s run failed with Error : %w", sqlStatement, err) return } From 4aa8c2dc14855778f1790aa9e758d5a6861f37dc Mon Sep 17 00:00:00 2001 From: deepakrai9185720 Date: Fri, 4 Nov 2022 15:07:42 +0530 Subject: [PATCH 2/5] Changed query to accept user input in parameterized query --- warehouse/warehouse.go | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/warehouse/warehouse.go b/warehouse/warehouse.go index 7a08ce7511..de5aba2c68 100644 --- a/warehouse/warehouse.go +++ b/warehouse/warehouse.go @@ -1812,12 +1812,7 @@ func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCou warehouseutils.WarehouseUploadsTable, sourceOrDestColumn, ) - preparedSqlStatement, err := dbHandle.Prepare(sqlStatement) - if err != nil { - err = fmt.Errorf("query: %s preparation failed with Error: %w", strings.ReplaceAll(sqlStatement, "$1", sourceOrDestId), err) - return - } - err = preparedSqlStatement.QueryRow(sourceOrDestId).Scan(&lastStagingFileIDRes) + err = dbHandle.QueryRow(sqlStatement, sourceOrDestId).Scan(&lastStagingFileIDRes) if err != nil && err != sql.ErrNoRows { err = fmt.Errorf("query: %s run failed with Error : %w", sqlStatement, err) return @@ -1840,12 +1835,7 @@ func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCou lastStagingFileID, sourceOrDestColumn, ) - preparedSqlStatement, err = dbHandle.Prepare(sqlStatement) - if err != nil { - err = fmt.Errorf("query: %s preparation failed with Error: %w", strings.ReplaceAll(sqlStatement, "$1", sourceOrDestId), err) - return - } - err = preparedSqlStatement.QueryRow(sourceOrDestId).Scan(&fileCount) + err = dbHandle.QueryRow(sourceOrDestId, sourceOrDestId).Scan(&fileCount) if err != nil && err != sql.ErrNoRows { err = fmt.Errorf("query: %s run failed with Error : %w", sqlStatement, err) return From 058eab4a61f85b28c7f203ede54a1371bda8f3e5 Mon Sep 17 00:00:00 2001 From: deepakrai9185720 Date: Fri, 4 Nov 2022 15:32:58 +0530 Subject: [PATCH 3/5] Changed query to accept user input in parameterized query --- warehouse/warehouse.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/warehouse/warehouse.go b/warehouse/warehouse.go index de5aba2c68..dabe8f84a1 100644 --- a/warehouse/warehouse.go +++ b/warehouse/warehouse.go @@ -1807,7 +1807,7 @@ func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCou FROM %[1]s WHERE - %[1]s.%[2]s = $1; + %[2]s = $1; `, warehouseutils.WarehouseUploadsTable, sourceOrDestColumn, @@ -1828,8 +1828,8 @@ func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCou FROM %[1]s WHERE - %[1]s.id > %[2]v - AND %[1]s.%[3]s = $1; + id > %[2]v + AND %[3]s = $1; `, warehouseutils.WarehouseStagingFilesTable, lastStagingFileID, From 9ac505d12d22f7d22e3fe3ef7b7055b46bd15af7 Mon Sep 17 00:00:00 2001 From: deepakrai9185720 Date: Fri, 4 Nov 2022 15:54:48 +0530 Subject: [PATCH 4/5] Changed query to accept user input in parameterized query --- warehouse/warehouse.go | 1 + 1 file changed, 1 insertion(+) diff --git a/warehouse/warehouse.go b/warehouse/warehouse.go index dabe8f84a1..d0e7271547 100644 --- a/warehouse/warehouse.go +++ b/warehouse/warehouse.go @@ -1794,6 +1794,7 @@ func pendingEventsHandler(w http.ResponseWriter, r *http.Request) { } func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCount int64, err error) { + sourceOrDestId = pq.QuoteIdentifier(sourceOrDestId) sourceOrDestColumn := "" if isSourceId { sourceOrDestColumn = "source_id" From 8bc8242ad90556404e42c31d7b45b37e24665cda Mon Sep 17 00:00:00 2001 From: deepakrai9185720 Date: Fri, 4 Nov 2022 17:40:27 +0530 Subject: [PATCH 5/5] Changed query to accept user input in parameterized query --- warehouse/warehouse.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/warehouse/warehouse.go b/warehouse/warehouse.go index d0e7271547..3395403e81 100644 --- a/warehouse/warehouse.go +++ b/warehouse/warehouse.go @@ -1836,7 +1836,7 @@ func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCou lastStagingFileID, sourceOrDestColumn, ) - err = dbHandle.QueryRow(sourceOrDestId, sourceOrDestId).Scan(&fileCount) + err = dbHandle.QueryRow(sqlStatement, sourceOrDestId).Scan(&fileCount) if err != nil && err != sql.ErrNoRows { err = fmt.Errorf("query: %s run failed with Error : %w", sqlStatement, err) return