Fix SQL injection vulnerability in a tag query

2025-06-12 15:01:07 -04:00
parent a25ffcc351
commit 97a07e11ca
2 changed files with 45 additions and 35 deletions
--- a/src/tags.rs
+++ b/src/tags.rs
@@ -503,22 +503,19 @@ impl TagDao for SqliteTagDao {
    ) -> anyhow::Result<Vec<FileWithTagCount>> {
        trace_db_call(&context, "query", "get_files_with_any_tags", |_| {
            use diesel::dsl::*;
-
-            let tag_ids_str = tag_ids
-                .iter()
-                .map(|id| id.to_string())
+            // Create the placeholders for the IN clauses
+            let tag_placeholders = std::iter::repeat("?")
+                .take(tag_ids.len())
                .collect::<Vec<_>>()
                .join(",");
-
-            let exclude_tag_ids_str = exclude_tag_ids
-                .iter()
-                .map(|id| id.to_string())
+            let exclude_placeholders = std::iter::repeat("?")
+                .take(exclude_tag_ids.len())
                .collect::<Vec<_>>()
                .join(",");

            let query = sql_query(format!(
                r#"
-WITH filtered_photos AS (
+            WITH filtered_photos AS (
                SELECT DISTINCT photo_name
                FROM tagged_photo tp
                WHERE tp.tag_id IN ({})
@@ -534,12 +531,21 @@ WITH filtered_photos AS (
            FROM filtered_photos fp
            JOIN tagged_photo tp2 ON fp.photo_name = tp2.photo_name
            GROUP BY fp.photo_name"#,
-                tag_ids_str, exclude_tag_ids_str
-            ));
+                tag_placeholders, exclude_placeholders
+            ))
+            .into_boxed();

-            // Execute the query:
-            let results = query.load::<FileWithTagCount>(&mut self.connection)?;
-            Ok(results)
+            // Bind all parameters
+            let query = tag_ids
+                .into_iter()
+                .fold(query, |q, id| q.bind::<Integer, _>(id));
+            let query = exclude_tag_ids
+                .into_iter()
+                .fold(query, |q, id| q.bind::<Integer, _>(id));
+
+            query
+                .load::<FileWithTagCount>(&mut self.connection)
+                .with_context(|| "Unable to get tagged photos")
        })
    }
 }
--- a/src/video.rs
+++ b/src/video.rs
@@ -255,9 +255,13 @@ impl Handler<GeneratePlaylistMessage> for PlaylistGenerator {
                "Waited for {:?} before starting ffmpeg",
                wait_start.elapsed()
            );
-            span.add_event("Waited for FFMPEG semaphore", vec![
-                KeyValue::new("wait_time", wait_start.elapsed().as_secs_f64())
-            ]);
+            span.add_event(
+                "Waited for FFMPEG semaphore",
+                vec![KeyValue::new(
+                    "wait_time",
+                    wait_start.elapsed().as_secs_f64(),
+                )],
+            );

            if Path::new(&playlist_file).exists() {
                debug!("Playlist already exists: {}", playlist_file);