Fix SQL injection vulnerability in a tag query
This commit is contained in:
Cameron
32
src/tags.rs
32
src/tags.rs
@@ -503,16 +503,13 @@ impl TagDao for SqliteTagDao {
|
|||||||
) -> anyhow::Result<Vec<FileWithTagCount>> {
|
) -> anyhow::Result<Vec<FileWithTagCount>> {
|
||||||
trace_db_call(&context, "query", "get_files_with_any_tags", |_| {
|
trace_db_call(&context, "query", "get_files_with_any_tags", |_| {
|
||||||
use diesel::dsl::*;
|
use diesel::dsl::*;
|
||||||
|
// Create the placeholders for the IN clauses
|
||||||
let tag_ids_str = tag_ids
|
let tag_placeholders = std::iter::repeat("?")
|
||||||
.iter()
|
.take(tag_ids.len())
|
||||||
.map(|id| id.to_string())
|
|
||||||
.collect::<Vec<_>>()
|
.collect::<Vec<_>>()
|
||||||
.join(",");
|
.join(",");
|
||||||
|
let exclude_placeholders = std::iter::repeat("?")
|
||||||
let exclude_tag_ids_str = exclude_tag_ids
|
.take(exclude_tag_ids.len())
|
||||||
.iter()
|
|
||||||
.map(|id| id.to_string())
|
|
||||||
.collect::<Vec<_>>()
|
.collect::<Vec<_>>()
|
||||||
.join(",");
|
.join(",");
|
||||||
|
|
||||||
@@ -534,12 +531,21 @@ WITH filtered_photos AS (
|
|||||||
FROM filtered_photos fp
|
FROM filtered_photos fp
|
||||||
JOIN tagged_photo tp2 ON fp.photo_name = tp2.photo_name
|
JOIN tagged_photo tp2 ON fp.photo_name = tp2.photo_name
|
||||||
GROUP BY fp.photo_name"#,
|
GROUP BY fp.photo_name"#,
|
||||||
tag_ids_str, exclude_tag_ids_str
|
tag_placeholders, exclude_placeholders
|
||||||
));
|
))
|
||||||
|
.into_boxed();
|
||||||
|
|
||||||
// Execute the query:
|
// Bind all parameters
|
||||||
let results = query.load::<FileWithTagCount>(&mut self.connection)?;
|
let query = tag_ids
|
||||||
Ok(results)
|
.into_iter()
|
||||||
|
.fold(query, |q, id| q.bind::<Integer, _>(id));
|
||||||
|
let query = exclude_tag_ids
|
||||||
|
.into_iter()
|
||||||
|
.fold(query, |q, id| q.bind::<Integer, _>(id));
|
||||||
|
|
||||||
|
query
|
||||||
|
.load::<FileWithTagCount>(&mut self.connection)
|
||||||
|
.with_context(|| "Unable to get tagged photos")
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
10
src/video.rs
10
src/video.rs
@@ -255,9 +255,13 @@ impl Handler<GeneratePlaylistMessage> for PlaylistGenerator {
|
|||||||
"Waited for {:?} before starting ffmpeg",
|
"Waited for {:?} before starting ffmpeg",
|
||||||
wait_start.elapsed()
|
wait_start.elapsed()
|
||||||
);
|
);
|
||||||
span.add_event("Waited for FFMPEG semaphore", vec![
|
span.add_event(
|
||||||
KeyValue::new("wait_time", wait_start.elapsed().as_secs_f64())
|
"Waited for FFMPEG semaphore",
|
||||||
]);
|
vec![KeyValue::new(
|
||||||
|
"wait_time",
|
||||||
|
wait_start.elapsed().as_secs_f64(),
|
||||||
|
)],
|
||||||
|
);
|
||||||
|
|
||||||
if Path::new(&playlist_file).exists() {
|
if Path::new(&playlist_file).exists() {
|
||||||
debug!("Playlist already exists: {}", playlist_file);
|
debug!("Playlist already exists: {}", playlist_file);
|
||||||
|
|||||||
Reference in New Issue
Block a user