From 56dbee8d8e11da7f33ff0901983a88a358932a93 Mon Sep 17 00:00:00 2001
From: Hugo Bollon <hugo.bollon@gmail.com>
Date: Wed, 25 May 2022 09:25:19 +0200
Subject: [PATCH] fix(db): possible sql injection on /search endpoint (#247)

---
 db/db.go | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/db/db.go b/db/db.go
index 88e53908..bc9e1b61 100644
--- a/db/db.go
+++ b/db/db.go
@@ -370,11 +370,13 @@ func (db *Database) SearchAttribute(query url.Values) (results []types.SearchRes
 	}
 
 	if v := query.Get("tf_version"); string(v) != "" {
-		where = append(where, fmt.Sprintf("states.tf_version LIKE '%s'", fmt.Sprintf("%%%s%%", v)))
+		where = append(where, "states.tf_version LIKE ?")
+		params = append(params, fmt.Sprintf("%%%s%%", v))
 	}
 
 	if v := query.Get("lineage_value"); string(v) != "" {
-		where = append(where, fmt.Sprintf("lineages.value LIKE '%s'", fmt.Sprintf("%%%s%%", v)))
+		where = append(where, "lineages.value LIKE ?")
+		params = append(params, fmt.Sprintf("%%%s%%", v))
 	}
 
 	if len(where) > 0 {