防止注入参数

2024-11-14 13:24:47 +08:00
parent e41c20471b
commit 8c34739ccd
1 changed files with 4 additions and 2 deletions
--- a/api/graphql.go
+++ b/api/graphql.go
@@ -529,10 +529,12 @@ func NewSchema(config Config) (graphql.Schema, error) {
 					).As("row_num"))
 				}

-				// 如果没有外部排序则使用指定排序
+				// 如果没有外部排序则使用指定排序(正则sort只能是字母数字下划下)
 				if p.Args["text"] == nil && p.Args["similar"] == nil {
+					sort := regexp.MustCompile(`[^a-zA-Z0-9_]`).ReplaceAllString(p.Args["sort"].(string), "")
+					order := regexp.MustCompile(`[^a-zA-Z0-9_]`).ReplaceAllString(p.Args["order"].(string), "")
 					query = query.Select("web_images.id", goqu.L(
-						fmt.Sprintf("ROW_NUMBER() OVER(ORDER BY web_images.%s %s)", p.Args["sort"], p.Args["order"]),
+						fmt.Sprintf("ROW_NUMBER() OVER(ORDER BY web_images.%s %s)", sort, order),
 					).As("row_num"))
 				}