From: ludo@gnu.org (Ludovic Courtès)
To: Danny Milosavljevic <dannym@scratchpost.org>
Cc: 30386-done@debbugs.gnu.org
Subject: bug#30386: [PATCH v2 cuirass] database: Prevent SQL injection.
Date: Fri, 02 Mar 2018 13:59:06 +0100 [thread overview]
Message-ID: <87a7vqhbvp.fsf@gnu.org> (raw)
In-Reply-To: <20180208163432.9468-1-dannym@scratchpost.org> (Danny Milosavljevic's message of "Thu, 8 Feb 2018 17:34:32 +0100")
Danny Milosavljevic <dannym@scratchpost.org> skribis:
> + (stmt-text (format #f "\
> +SELECT Builds.id, Builds.timestamp, Builds.starttime, Builds.stoptime, Builds.log, Builds.status, Builds.derivation,\
> +Derivations.job_name, Derivations.system, Derivations.nix_name,\
> +Specifications.repo_name, Specifications.branch \
> +FROM Builds \
> +INNER JOIN Derivations ON Builds.derivation = Derivations.derivation AND Builds.evaluation = Derivations.evaluation \
> +INNER JOIN Evaluations ON Derivations.evaluation = Evaluations.id \
> +INNER JOIN Specifications ON Evaluations.specification = Specifications.repo_name \
> +WHERE (:id IS NULL OR (:id = Builds.id)) \
> +OR (:project IS NULL OR (:project = Specifications.repo_name)) \
> +OR (:jobset IS NULL OR (:jobset = Specifications.branch)) \
> +OR (:job IS NULL OR (:job = Derivations.job_name)) \
> +OR (:system IS NULL OR (:system = Derivations.system)) \
> +OR (:status IS NULL OR (:status = 'done' AND Builds.status >= 0) OR (:status = 'pending' AND Builds.status < 0)) \
> +ORDER BY ~a ~a LIMIT :nr;" order-column-name order))
> + (stmt (sqlite-prepare db stmt-text #:cache? #t)))
> + (sqlite-bind-args stmt #:id (assqx-ref filters 'id)
> + #:project (assqx-ref filters 'project)
> + #:jobset (assqx-ref filters 'jobset)
> + #:job (assqx-ref filters 'job)
> + #:system (assqx-ref filters 'system)
> + #:status (and=> (assqx-ref filters 'status)
> + object->string)
> + #:nr (match (assqx-ref filters 'nr)
> + (#f -1)
> + (x x)))
This was pushed as 1bab5c4e56eb1849edc2cf0b23d433aeb2cac421, closing
this issue now.
Thank you!
Ludo’.
prev parent reply other threads:[~2018-03-02 13:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-07 23:12 [bug#30386] [PATCH cuirass] database: Prevent SQL injection Danny Milosavljevic
2018-02-08 16:34 ` [bug#30386] [PATCH v2 " Danny Milosavljevic
2018-02-09 9:51 ` Ludovic Courtès
2018-02-09 11:16 ` Danny Milosavljevic
2018-02-09 16:05 ` Ludovic Courtès
2018-02-09 16:45 ` Danny Milosavljevic
2018-03-02 12:59 ` Ludovic Courtès [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87a7vqhbvp.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=30386-done@debbugs.gnu.org \
--cc=dannym@scratchpost.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.