Fix SQL injection vulnerability in a tag query
This commit is contained in:
Cameron
64
src/tags.rs
64
src/tags.rs
@@ -503,43 +503,49 @@ impl TagDao for SqliteTagDao {
|
|||||||
) -> anyhow::Result<Vec<FileWithTagCount>> {
|
) -> anyhow::Result<Vec<FileWithTagCount>> {
|
||||||
trace_db_call(&context, "query", "get_files_with_any_tags", |_| {
|
trace_db_call(&context, "query", "get_files_with_any_tags", |_| {
|
||||||
use diesel::dsl::*;
|
use diesel::dsl::*;
|
||||||
|
// Create the placeholders for the IN clauses
|
||||||
let tag_ids_str = tag_ids
|
let tag_placeholders = std::iter::repeat("?")
|
||||||
.iter()
|
.take(tag_ids.len())
|
||||||
.map(|id| id.to_string())
|
|
||||||
.collect::<Vec<_>>()
|
.collect::<Vec<_>>()
|
||||||
.join(",");
|
.join(",");
|
||||||
|
let exclude_placeholders = std::iter::repeat("?")
|
||||||
let exclude_tag_ids_str = exclude_tag_ids
|
.take(exclude_tag_ids.len())
|
||||||
.iter()
|
|
||||||
.map(|id| id.to_string())
|
|
||||||
.collect::<Vec<_>>()
|
.collect::<Vec<_>>()
|
||||||
.join(",");
|
.join(",");
|
||||||
|
|
||||||
let query = sql_query(format!(
|
let query = sql_query(format!(
|
||||||
r#"
|
r#"
|
||||||
WITH filtered_photos AS (
|
WITH filtered_photos AS (
|
||||||
SELECT DISTINCT photo_name
|
SELECT DISTINCT photo_name
|
||||||
FROM tagged_photo tp
|
FROM tagged_photo tp
|
||||||
WHERE tp.tag_id IN ({})
|
WHERE tp.tag_id IN ({})
|
||||||
AND tp.photo_name NOT IN (
|
AND tp.photo_name NOT IN (
|
||||||
SELECT photo_name
|
SELECT photo_name
|
||||||
FROM tagged_photo
|
FROM tagged_photo
|
||||||
WHERE tag_id IN ({})
|
WHERE tag_id IN ({})
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
SELECT
|
SELECT
|
||||||
fp.photo_name as file_name,
|
fp.photo_name as file_name,
|
||||||
COUNT(DISTINCT tp2.tag_id) as tag_count
|
COUNT(DISTINCT tp2.tag_id) as tag_count
|
||||||
FROM filtered_photos fp
|
FROM filtered_photos fp
|
||||||
JOIN tagged_photo tp2 ON fp.photo_name = tp2.photo_name
|
JOIN tagged_photo tp2 ON fp.photo_name = tp2.photo_name
|
||||||
GROUP BY fp.photo_name"#,
|
GROUP BY fp.photo_name"#,
|
||||||
tag_ids_str, exclude_tag_ids_str
|
tag_placeholders, exclude_placeholders
|
||||||
));
|
))
|
||||||
|
.into_boxed();
|
||||||
|
|
||||||
// Execute the query:
|
// Bind all parameters
|
||||||
let results = query.load::<FileWithTagCount>(&mut self.connection)?;
|
let query = tag_ids
|
||||||
Ok(results)
|
.into_iter()
|
||||||
|
.fold(query, |q, id| q.bind::<Integer, _>(id));
|
||||||
|
let query = exclude_tag_ids
|
||||||
|
.into_iter()
|
||||||
|
.fold(query, |q, id| q.bind::<Integer, _>(id));
|
||||||
|
|
||||||
|
query
|
||||||
|
.load::<FileWithTagCount>(&mut self.connection)
|
||||||
|
.with_context(|| "Unable to get tagged photos")
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
16
src/video.rs
16
src/video.rs
@@ -234,7 +234,7 @@ impl Handler<GeneratePlaylistMessage> for PlaylistGenerator {
|
|||||||
playlist_path,
|
playlist_path,
|
||||||
msg.video_path.file_name().unwrap().to_str().unwrap()
|
msg.video_path.file_name().unwrap().to_str().unwrap()
|
||||||
);
|
);
|
||||||
|
|
||||||
let tracer = global_tracer();
|
let tracer = global_tracer();
|
||||||
let mut span = tracer
|
let mut span = tracer
|
||||||
.span_builder("playlistgenerator.generate_playlist")
|
.span_builder("playlistgenerator.generate_playlist")
|
||||||
@@ -243,7 +243,7 @@ impl Handler<GeneratePlaylistMessage> for PlaylistGenerator {
|
|||||||
KeyValue::new("playlist_file", playlist_file.clone()),
|
KeyValue::new("playlist_file", playlist_file.clone()),
|
||||||
])
|
])
|
||||||
.start(&tracer);
|
.start(&tracer);
|
||||||
|
|
||||||
Box::pin(async move {
|
Box::pin(async move {
|
||||||
let wait_start = std::time::Instant::now();
|
let wait_start = std::time::Instant::now();
|
||||||
let permit = semaphore
|
let permit = semaphore
|
||||||
@@ -255,9 +255,13 @@ impl Handler<GeneratePlaylistMessage> for PlaylistGenerator {
|
|||||||
"Waited for {:?} before starting ffmpeg",
|
"Waited for {:?} before starting ffmpeg",
|
||||||
wait_start.elapsed()
|
wait_start.elapsed()
|
||||||
);
|
);
|
||||||
span.add_event("Waited for FFMPEG semaphore", vec![
|
span.add_event(
|
||||||
KeyValue::new("wait_time", wait_start.elapsed().as_secs_f64())
|
"Waited for FFMPEG semaphore",
|
||||||
]);
|
vec![KeyValue::new(
|
||||||
|
"wait_time",
|
||||||
|
wait_start.elapsed().as_secs_f64(),
|
||||||
|
)],
|
||||||
|
);
|
||||||
|
|
||||||
if Path::new(&playlist_file).exists() {
|
if Path::new(&playlist_file).exists() {
|
||||||
debug!("Playlist already exists: {}", playlist_file);
|
debug!("Playlist already exists: {}", playlist_file);
|
||||||
@@ -298,7 +302,7 @@ impl Handler<GeneratePlaylistMessage> for PlaylistGenerator {
|
|||||||
if let Ok(ref res) = ffmpeg_result {
|
if let Ok(ref res) = ffmpeg_result {
|
||||||
debug!("ffmpeg output: {:?}", res);
|
debug!("ffmpeg output: {:?}", res);
|
||||||
}
|
}
|
||||||
|
|
||||||
span.set_status(Status::Ok);
|
span.set_status(Status::Ok);
|
||||||
|
|
||||||
ffmpeg_result
|
ffmpeg_result
|
||||||
|
|||||||
Reference in New Issue
Block a user