Made the issue stats query more secure with parameterized placeholders (#2895)

release/v1.15
Thomas Boerger 2016-04-26 06:07:49 +02:00 committed by Unknwon
parent 7049cb9d97
commit dfad51fe9e
2 changed files with 88 additions and 65 deletions

View File

@ -547,7 +547,7 @@ func Issues(opts *IssuesOptions) ([]*Issue, error) {
} }
labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ",")) labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
if len(labelIDs) > 1 { if opts.Labels != "" && len(labelIDs) > 0 {
sess.Join("INNER", "issue_label", "issue.id = issue_label.issue_id").In("issue_label.label_id", labelIDs) sess.Join("INNER", "issue_label", "issue.id = issue_label.issue_id").In("issue_label.label_id", labelIDs)
} }
@ -769,7 +769,7 @@ func parseCountResult(results []map[string][]byte) int64 {
type IssueStatsOptions struct { type IssueStatsOptions struct {
RepoID int64 RepoID int64
UserID int64 UserID int64
LabelID int64 Labels string
MilestoneID int64 MilestoneID int64
AssigneeID int64 AssigneeID int64
FilterMode int FilterMode int
@ -780,41 +780,58 @@ type IssueStatsOptions struct {
func GetIssueStats(opts *IssueStatsOptions) *IssueStats { func GetIssueStats(opts *IssueStatsOptions) *IssueStats {
stats := &IssueStats{} stats := &IssueStats{}
queryStr := "SELECT COUNT(*) FROM `issue` " countSession := func(opts *IssueStatsOptions) *xorm.Session {
if opts.LabelID > 0 { sess := x.Where("issue.repo_id = ?", opts.RepoID).And("issue.is_pull = ?", opts.IsPull)
queryStr += "INNER JOIN `issue_label` ON `issue`.id=`issue_label`.issue_id AND `issue_label`.label_id=" + com.ToStr(opts.LabelID)
labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
if opts.Labels != "" && len(labelIDs) > 0 {
sess.Join("INNER", "issue_label", "issue.id = issue_label.issue_id").In("issue_label.label_id", labelIDs)
} }
baseCond := " WHERE issue.repo_id=" + com.ToStr(opts.RepoID) + " AND issue.is_closed=?"
if opts.MilestoneID > 0 { if opts.MilestoneID > 0 {
baseCond += " AND issue.milestone_id=" + com.ToStr(opts.MilestoneID) sess.And("issue.milestone_id = ?", opts.MilestoneID)
} }
if opts.AssigneeID > 0 { if opts.AssigneeID > 0 {
baseCond += " AND assignee_id=" + com.ToStr(opts.AssigneeID) sess.And("assignee_id = ?", opts.AssigneeID)
}
return sess
} }
baseCond += " AND issue.is_pull=?"
switch opts.FilterMode { switch opts.FilterMode {
case FM_ALL, FM_ASSIGN: case FM_ALL, FM_ASSIGN:
results, _ := x.Query(queryStr+baseCond, false, opts.IsPull) stats.OpenCount, _ = countSession(opts).
stats.OpenCount = parseCountResult(results) And("issue.is_closed = ?", false).
results, _ = x.Query(queryStr+baseCond, true, opts.IsPull) Count(&Issue{})
stats.ClosedCount = parseCountResult(results)
stats.ClosedCount, _ = countSession(opts).
And("issue.is_closed = ?", true).
Count(&Issue{})
case FM_CREATE: case FM_CREATE:
baseCond += " AND poster_id=?" stats.OpenCount, _ = countSession(opts).
results, _ := x.Query(queryStr+baseCond, false, opts.IsPull, opts.UserID) And("poster_id = ?", opts.UserID).
stats.OpenCount = parseCountResult(results) And("issue.is_closed = ?", false).
results, _ = x.Query(queryStr+baseCond, true, opts.IsPull, opts.UserID) Count(&Issue{})
stats.ClosedCount = parseCountResult(results)
stats.ClosedCount, _ = countSession(opts).
And("poster_id = ?", opts.UserID).
And("issue.is_closed = ?", true).
Count(&Issue{})
case FM_MENTION: case FM_MENTION:
queryStr += " INNER JOIN `issue_user` ON `issue`.id=`issue_user`.issue_id" stats.OpenCount, _ = countSession(opts).
baseCond += " AND `issue_user`.uid=? AND `issue_user`.is_mentioned=?" Join("INNER", "issue_user", "issue.id = issue_user.issue_id").
results, _ := x.Query(queryStr+baseCond, false, opts.IsPull, opts.UserID, true) And("issue_user.uid = ?", opts.UserID).
stats.OpenCount = parseCountResult(results) And("issue_user.is_mentioned = ?", true).
results, _ = x.Query(queryStr+baseCond, true, opts.IsPull, opts.UserID, true) And("issue.is_closed = ?", false).
stats.ClosedCount = parseCountResult(results) Count(&Issue{})
stats.ClosedCount, _ = countSession(opts).
Join("INNER", "issue_user", "issue.id = issue_user.issue_id").
And("issue_user.uid = ?", opts.UserID).
And("issue_user.is_mentioned = ?", true).
And("issue.is_closed = ?", true).
Count(&Issue{})
} }
return stats return stats
} }
@ -823,64 +840,70 @@ func GetIssueStats(opts *IssueStatsOptions) *IssueStats {
func GetUserIssueStats(repoID, uid int64, repoIDs []int64, filterMode int, isPull bool) *IssueStats { func GetUserIssueStats(repoID, uid int64, repoIDs []int64, filterMode int, isPull bool) *IssueStats {
stats := &IssueStats{} stats := &IssueStats{}
queryStr := "SELECT COUNT(*) FROM `issue` " countSession := func(isClosed, isPull bool, repoID int64, repoIDs []int64) *xorm.Session {
baseCond := " WHERE issue.is_closed=?" sess := x.Where("issue.is_closed = ?", isClosed).And("issue.is_pull = ?", isPull)
if repoID > 0 || len(repoIDs) == 0 { if repoID > 0 || len(repoIDs) == 0 {
baseCond += " AND issue.repo_id=" + com.ToStr(repoID) sess.And("issue.repo_id = ?", repoID)
} else { } else {
baseCond += " AND issue.repo_id IN (" + strings.Join(base.Int64sToStrings(repoIDs), ",") + ")" sess.In("issue.repo_id", repoIDs)
} }
if isPull { return sess
baseCond += " AND issue.is_pull=1"
} else {
baseCond += " AND issue.is_pull=0"
} }
results, _ := x.Query(queryStr+baseCond+" AND assignee_id=?", false, uid) stats.AssignCount, _ = countSession(false, isPull, repoID, repoIDs).
stats.AssignCount = parseCountResult(results) And("assignee_id = ?", uid).
results, _ = x.Query(queryStr+baseCond+" AND poster_id=?", false, uid) Count(&Issue{})
stats.CreateCount = parseCountResult(results)
stats.CreateCount, _ = countSession(false, isPull, repoID, repoIDs).
And("assignee_id = ?", uid).
Count(&Issue{})
openCountSession := countSession(false, isPull, repoID, repoIDs)
closedCountSession := countSession(true, isPull, repoID, repoIDs)
switch filterMode { switch filterMode {
case FM_ASSIGN: case FM_ASSIGN:
baseCond += " AND assignee_id=" + com.ToStr(uid) openCountSession.And("assignee_id = ?", uid)
closedCountSession.And("assignee_id = ?", uid)
case FM_CREATE: case FM_CREATE:
baseCond += " AND poster_id=" + com.ToStr(uid) openCountSession.And("poster_id = ?", uid)
closedCountSession.And("poster_id = ?", uid)
} }
results, _ = x.Query(queryStr+baseCond, false) stats.OpenCount, _ = openCountSession.Count(&Issue{})
stats.OpenCount = parseCountResult(results) stats.ClosedCount, _ = closedCountSession.Count(&Issue{})
results, _ = x.Query(queryStr+baseCond, true)
stats.ClosedCount = parseCountResult(results)
return stats return stats
} }
// GetRepoIssueStats returns number of open and closed repository issues by given filter mode. // GetRepoIssueStats returns number of open and closed repository issues by given filter mode.
func GetRepoIssueStats(repoID, uid int64, filterMode int, isPull bool) (numOpen int64, numClosed int64) { func GetRepoIssueStats(repoID, uid int64, filterMode int, isPull bool) (numOpen int64, numClosed int64) {
queryStr := "SELECT COUNT(*) FROM `issue` " countSession := func(isClosed, isPull bool, repoID int64) *xorm.Session {
baseCond := " WHERE issue.repo_id=? AND issue.is_closed=?" sess := x.Where("issue.repo_id = ?", isClosed).
And("issue.is_pull = ?", isPull).
And("issue.repo_id = ?", repoID)
if isPull { return sess
baseCond += " AND issue.is_pull=1"
} else {
baseCond += " AND issue.is_pull=0"
} }
openCountSession := countSession(false, isPull, repoID)
closedCountSession := countSession(true, isPull, repoID)
switch filterMode { switch filterMode {
case FM_ASSIGN: case FM_ASSIGN:
baseCond += " AND assignee_id=" + com.ToStr(uid) openCountSession.And("assignee_id = ?", uid)
closedCountSession.And("assignee_id = ?", uid)
case FM_CREATE: case FM_CREATE:
baseCond += " AND poster_id=" + com.ToStr(uid) openCountSession.And("poster_id = ?", uid)
closedCountSession.And("poster_id = ?", uid)
} }
results, _ := x.Query(queryStr+baseCond, repoID, false) openResult, _ := openCountSession.Count(&Issue{})
numOpen = parseCountResult(results) closedResult, _ := closedCountSession.Count(&Issue{})
results, _ = x.Query(queryStr+baseCond, repoID, true)
numClosed = parseCountResult(results) return openResult, closedResult
return numOpen, numClosed
} }
func updateIssue(e Engine, issue *Issue) error { func updateIssue(e Engine, issue *Issue) error {

View File

@ -146,7 +146,7 @@ func Issues(ctx *context.Context) {
issueStats := models.GetIssueStats(&models.IssueStatsOptions{ issueStats := models.GetIssueStats(&models.IssueStatsOptions{
RepoID: repo.ID, RepoID: repo.ID,
UserID: uid, UserID: uid,
LabelID: com.StrTo(selectLabels).MustInt64(), Labels: selectLabels,
MilestoneID: milestoneID, MilestoneID: milestoneID,
AssigneeID: assigneeID, AssigneeID: assigneeID,
FilterMode: filterMode, FilterMode: filterMode,