Mirror/Erupe
1
0
Fork 0
mirror of https://github.com/Mezeporta/Erupe.git synced 2026-03-22 15:43:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: resolve code scanning findings in commands and wizard

Browse Source 
Add bounds check (0 to MaxUint32) before casting strconv.Atoi result
to uint32 in the rights command handler. Replace manual allowlist
validation with pq.QuoteIdentifier for CREATE DATABASE to eliminate
the SQL injection finding.
This commit is contained in:
Houmgaor
2026-02-27 13:45:56 +01:00
parent 7e24bbc087
commit 7f5d30e2f5
2 changed files with 4 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
server/setup/wizard.go
View File

@@ -6,6 +6,8 @@ import (
"fmt"
"net"
"os"
"github.com/lib/pq"
)
// clientModes returns all supported client version strings.
@@ -150,14 +152,7 @@ func createDatabase(host string, port int, user, password, dbName string) error
}
defer func() { _ = db.Close() }()
// Database names can't be parameterized; validate it's alphanumeric + underscores.
for _, c := range dbName {
if (c < 'a' || c > 'z') && (c < 'A' || c > 'Z') && (c < '0' || c > '9') && c != '_' {
return fmt.Errorf("invalid database name %q: only alphanumeric characters and underscores allowed", dbName)
}
}
_, err = db.Exec(fmt.Sprintf("CREATE DATABASE %s", dbName))
_, err = db.Exec("CREATE DATABASE " + pq.QuoteIdentifier(dbName))
if err != nil {
return fmt.Errorf("creating database: %w", err)
}