From 7f5d30e2f5a0ed2d05b5c62fe1d37c6d90980bc7 Mon Sep 17 00:00:00 2001 From: Houmgaor Date: Fri, 27 Feb 2026 13:45:56 +0100 Subject: [PATCH] fix: resolve code scanning findings in commands and wizard Add bounds check (0 to MaxUint32) before casting strconv.Atoi result to uint32 in the rights command handler. Replace manual allowlist validation with pq.QuoteIdentifier for CREATE DATABASE to eliminate the SQL injection finding. --- server/channelserver/handlers_commands.go | 2 +- server/setup/wizard.go | 11 +++-------- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/server/channelserver/handlers_commands.go b/server/channelserver/handlers_commands.go index 2dda089ba..611541547 100644 --- a/server/channelserver/handlers_commands.go +++ b/server/channelserver/handlers_commands.go @@ -258,7 +258,7 @@ func parseChatCommand(s *Session, command string) { if commands["Rights"].Enabled || s.isOp() { if len(args) > 1 { v, err := strconv.Atoi(args[1]) - if err != nil { + if err != nil || v < 0 || v > math.MaxUint32 { sendServerChatMessage(s, fmt.Sprintf(s.server.i18n.commands.rights.error, commands["Rights"].Prefix)) return } diff --git a/server/setup/wizard.go b/server/setup/wizard.go index ca05771bc..e6410a5a5 100644 --- a/server/setup/wizard.go +++ b/server/setup/wizard.go @@ -6,6 +6,8 @@ import ( "fmt" "net" "os" + + "github.com/lib/pq" ) // clientModes returns all supported client version strings. @@ -150,14 +152,7 @@ func createDatabase(host string, port int, user, password, dbName string) error } defer func() { _ = db.Close() }() - // Database names can't be parameterized; validate it's alphanumeric + underscores. - for _, c := range dbName { - if (c < 'a' || c > 'z') && (c < 'A' || c > 'Z') && (c < '0' || c > '9') && c != '_' { - return fmt.Errorf("invalid database name %q: only alphanumeric characters and underscores allowed", dbName) - } - } - - _, err = db.Exec(fmt.Sprintf("CREATE DATABASE %s", dbName)) + _, err = db.Exec("CREATE DATABASE " + pq.QuoteIdentifier(dbName)) if err != nil { return fmt.Errorf("creating database: %w", err) }