github/overleaf
1
0
Fork 0
mirror of https://github.com/overleaf/overleaf.git synced 2025-04-08 10:13:21 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix SQL injection.

Browse source
This commit is contained in:
Winston Li 2015-02-23 11:00:34 +00:00
parent 4561409450
commit 77c4576b59
2 changed files with 5 additions and 4 deletions
services/git-bridge/src
main/java/uk/ac/ic/wlgitbridge/writelatex/model/db/sql/update/delete
DeleteFilesForProjectSQLUpdate.java
test/java/uk/ac/ic/wlgitbridge/writelatex/model/db/sql/update/delete
DeleteFilesForProjectSQLUpdateTest.java

7
services/git-bridge/src/main/java/uk/ac/ic/wlgitbridge/writelatex/model/db/sql/update/delete/DeleteFilesForProjectSQLUpdate.java
View file

@ -25,9 +25,7 @@ public class DeleteFilesForProjectSQLUpdate implements SQLUpdate {
public String getSQL() {
StringBuilder sb = new StringBuilder(DELETE_URL_INDEXES_FOR_PROJECT_NAME);
for (int i = 0; i < paths.length; i++) {
sb.append('\'');
sb.append(paths[i]);
sb.append('\'');
sb.append("?");
if (i < paths.length - 1) {
sb.append(", ");
}
@ -39,6 +37,9 @@ public class DeleteFilesForProjectSQLUpdate implements SQLUpdate {
@Override
public void addParametersToStatement(PreparedStatement statement) throws SQLException {
statement.setString(1, projectName);
for (int i = 0; i < paths.length; i++) {
statement.setString(i + 2, paths[i]);
}
}
}

2
services/git-bridge/src/test/java/uk/ac/ic/wlgitbridge/writelatex/model/db/sql/update/delete/DeleteFilesForProjectSQLUpdateTest.java
View file

@ -8,7 +8,7 @@ public class DeleteFilesForProjectSQLUpdateTest {
@Test
public void testGetSQL() {
DeleteFilesForProjectSQLUpdate update = new DeleteFilesForProjectSQLUpdate("projname", "path1", "path2");
assertEquals("DELETE FROM `url_index_store` WHERE `project_name` = ? AND path IN ('path1', 'path2');\n", update.getSQL());
assertEquals("DELETE FROM `url_index_store` WHERE `project_name` = ? AND path IN (?, ?);\n", update.getSQL());
}
}