Mirror/Erupe
1
0
Fork 0
mirror of https://github.com/Mezeporta/Erupe.git synced 2026-03-21 23:22:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: resolve code scanning findings in commands and wizard

Browse Source 
Add bounds check (0 to MaxUint32) before casting strconv.Atoi result
to uint32 in the rights command handler. Replace manual allowlist
validation with pq.QuoteIdentifier for CREATE DATABASE to eliminate
the SQL injection finding.
This commit is contained in:
Houmgaor
2026-02-27 13:45:56 +01:00
parent 7e24bbc087
commit 7f5d30e2f5
2 changed files with 4 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
server/channelserver/handlers_commands.go
View File

@@ -258,7 +258,7 @@ func parseChatCommand(s *Session, command string) {
if commands["Rights"].Enabled || s.isOp() {
if len(args) > 1 {
v, err := strconv.Atoi(args[1])
if err != nil {
if err != nil || v < 0 || v > math.MaxUint32 {
sendServerChatMessage(s, fmt.Sprintf(s.server.i18n.commands.rights.error, commands["Rights"].Prefix))
return
}