fix(db): possible sql injection on /search endpoint

camptocamp · May 25, 2022 · 2a5dbaa · 2a5dbaa
1 parent 608d9d5
commit 2a5dbaa
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/db/db.go b/db/db.go
@@ -370,11 +370,13 @@ func (db *Database) SearchAttribute(query url.Values) (results []types.SearchRes
 	}
 
 	if v := query.Get("tf_version"); string(v) != "" {
-		where = append(where, fmt.Sprintf("states.tf_version LIKE '%s'", fmt.Sprintf("%%%s%%", v)))
+		where = append(where, "states.tf_version LIKE ?")
+		params = append(params, fmt.Sprintf("%%%s%%", v))
 	}
 
 	if v := query.Get("lineage_value"); string(v) != "" {
-		where = append(where, fmt.Sprintf("lineages.value LIKE '%s'", fmt.Sprintf("%%%s%%", v)))
+		where = append(where, "lineages.value LIKE ?")
+		params = append(params, fmt.Sprintf("%%%s%%", v))
 	}
 
 	if len(where) > 0 {