fix: resolve code scanning findings in commands and wizard

Add bounds check (0 to MaxUint32) before casting strconv.Atoi result to uint32 in the rights command handler. Replace manual allowlist validation with pq.QuoteIdentifier for CREATE DATABASE to eliminate the SQL injection finding.
2026-03-22 07:32:32 +01:00 · 2026-02-27 13:45:56 +01:00
parent 7e24bbc087
commit 7f5d30e2f5
2 changed files with 4 additions and 9 deletions
--- a/server/channelserver/handlers_commands.go
+++ b/server/channelserver/handlers_commands.go
@@ -258,7 +258,7 @@ func parseChatCommand(s *Session, command string) {
 		if commands["Rights"].Enabled || s.isOp() {
 			if len(args) > 1 {
 				v, err := strconv.Atoi(args[1])
-				if err != nil {
+				if err != nil || v < 0 || v > math.MaxUint32 {
 					sendServerChatMessage(s, fmt.Sprintf(s.server.i18n.commands.rights.error, commands["Rights"].Prefix))
 					return
 				}
--- a/server/setup/wizard.go
+++ b/server/setup/wizard.go
@@ -6,6 +6,8 @@ import (
 	"fmt"
 	"net"
 	"os"
+
+	"github.com/lib/pq"
 )

 // clientModes returns all supported client version strings.
@@ -150,14 +152,7 @@ func createDatabase(host string, port int, user, password, dbName string) error
 	}
 	defer func() { _ = db.Close() }()

-	// Database names can't be parameterized; validate it's alphanumeric + underscores.
-	for _, c := range dbName {
-		if (c < 'a' || c > 'z') && (c < 'A' || c > 'Z') && (c < '0' || c > '9') && c != '_' {
-			return fmt.Errorf("invalid database name %q: only alphanumeric characters and underscores allowed", dbName)
-		}
-	}
-
-	_, err = db.Exec(fmt.Sprintf("CREATE DATABASE %s", dbName))
+	_, err = db.Exec("CREATE DATABASE " + pq.QuoteIdentifier(dbName))
 	if err != nil {
 		return fmt.Errorf("creating database: %w", err)
 	}