[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#30386: [PATCH v2 cuirass] database: Prevent SQL injection.
From: |
Ludovic Courtès |
Subject: |
bug#30386: [PATCH v2 cuirass] database: Prevent SQL injection. |
Date: |
Fri, 02 Mar 2018 13:59:06 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) |
Danny Milosavljevic <address@hidden> skribis:
> + (stmt-text (format #f "\
> +SELECT Builds.id, Builds.timestamp, Builds.starttime, Builds.stoptime,
> Builds.log, Builds.status, Builds.derivation,\
> +Derivations.job_name, Derivations.system, Derivations.nix_name,\
> +Specifications.repo_name, Specifications.branch \
> +FROM Builds \
> +INNER JOIN Derivations ON Builds.derivation = Derivations.derivation AND
> Builds.evaluation = Derivations.evaluation \
> +INNER JOIN Evaluations ON Derivations.evaluation = Evaluations.id \
> +INNER JOIN Specifications ON Evaluations.specification =
> Specifications.repo_name \
> +WHERE (:id IS NULL OR (:id = Builds.id)) \
> +OR (:project IS NULL OR (:project = Specifications.repo_name)) \
> +OR (:jobset IS NULL OR (:jobset = Specifications.branch)) \
> +OR (:job IS NULL OR (:job = Derivations.job_name)) \
> +OR (:system IS NULL OR (:system = Derivations.system)) \
> +OR (:status IS NULL OR (:status = 'done' AND Builds.status >= 0) OR (:status
> = 'pending' AND Builds.status < 0)) \
> +ORDER BY ~a ~a LIMIT :nr;" order-column-name order))
> + (stmt (sqlite-prepare db stmt-text #:cache? #t)))
> + (sqlite-bind-args stmt #:id (assqx-ref filters 'id)
> + #:project (assqx-ref filters 'project)
> + #:jobset (assqx-ref filters 'jobset)
> + #:job (assqx-ref filters 'job)
> + #:system (assqx-ref filters 'system)
> + #:status (and=> (assqx-ref filters 'status)
> + object->string)
> + #:nr (match (assqx-ref filters 'nr)
> + (#f -1)
> + (x x)))
This was pushed as 1bab5c4e56eb1849edc2cf0b23d433aeb2cac421, closing
this issue now.
Thank you!
Ludo’.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- bug#30386: [PATCH v2 cuirass] database: Prevent SQL injection.,
Ludovic Courtès <=