fix(filterValue): fixed sql injection vulnerability
gitea/salix/pipeline/head There was a failure building this commit
Details
gitea/salix/pipeline/head There was a failure building this commit
Details
Refs: 3369
This commit is contained in:
parent
02bc848b7e
commit
a940d14256
|
|
@ -71,7 +71,7 @@
|
||||||
color: $color-font;
|
color: $color-font;
|
||||||
|
|
||||||
&::placeholder {
|
&::placeholder {
|
||||||
color: $color-font-bg;
|
color: $color-font-bg-marginal;
|
||||||
}
|
}
|
||||||
&[type=time],
|
&[type=time],
|
||||||
&[type=date],
|
&[type=date],
|
||||||
|
|
|
||||||
|
|
@ -81,18 +81,21 @@
|
||||||
on-change="itemTag.value = null">
|
on-change="itemTag.value = null">
|
||||||
</vn-autocomplete>
|
</vn-autocomplete>
|
||||||
<vn-textfield
|
<vn-textfield
|
||||||
ng-show="tag.selection.isFree !== false"
|
ng-show="tag.selection.isFree || tag.selection.isFree == undefined"
|
||||||
vn-id="text"
|
vn-id="text"
|
||||||
label="Value"
|
label="Value"
|
||||||
ng-model="itemTag.value">
|
ng-model="itemTag.value">
|
||||||
</vn-textfield>
|
</vn-textfield>
|
||||||
<vn-autocomplete
|
<vn-autocomplete
|
||||||
|
vn-one
|
||||||
ng-show="tag.selection.isFree === false"
|
ng-show="tag.selection.isFree === false"
|
||||||
url="{{$ctrl.getSourceTable(tag.selection)}}"
|
url="{{'Tags/' + itemTag.tagFk + '/filterValue'}}"
|
||||||
|
search-function="{value: $search}"
|
||||||
label="Value"
|
label="Value"
|
||||||
ng-model="itemTag.value"
|
ng-model="itemTag.value"
|
||||||
show-field="name"
|
show-field="value"
|
||||||
value-field="name">
|
value-field="value"
|
||||||
|
rule>
|
||||||
</vn-autocomplete>
|
</vn-autocomplete>
|
||||||
<vn-icon-button
|
<vn-icon-button
|
||||||
vn-none
|
vn-none
|
||||||
|
|
|
||||||
|
|
@ -55,18 +55,6 @@ class Controller extends SearchPanel {
|
||||||
this.$.filter = value;
|
this.$.filter = value;
|
||||||
}
|
}
|
||||||
|
|
||||||
getSourceTable(selection) {
|
|
||||||
if (!selection || selection.isFree === true)
|
|
||||||
return null;
|
|
||||||
|
|
||||||
if (selection.sourceTable) {
|
|
||||||
return ''
|
|
||||||
+ selection.sourceTable.charAt(0).toUpperCase()
|
|
||||||
+ selection.sourceTable.substring(1) + 's';
|
|
||||||
} else if (selection.sourceTable == null)
|
|
||||||
return `ItemTags/filterItemTags/${selection.id}`;
|
|
||||||
}
|
|
||||||
|
|
||||||
removeField(index, field) {
|
removeField(index, field) {
|
||||||
this.fieldFilters.splice(index, 1);
|
this.fieldFilters.splice(index, 1);
|
||||||
this.$.filter[field] = undefined;
|
this.$.filter[field] = undefined;
|
||||||
|
|
|
||||||
|
|
@ -47,9 +47,14 @@ module.exports = Self => {
|
||||||
const where = filter.where;
|
const where = filter.where;
|
||||||
if (where && where.value) {
|
if (where && where.value) {
|
||||||
stmt.merge(conn.makeWhere({value: {like: `%${where.value}%`}}));
|
stmt.merge(conn.makeWhere({value: {like: `%${where.value}%`}}));
|
||||||
stmt.merge(`
|
|
||||||
ORDER BY value LIKE '${where.value}' DESC,
|
const newStmt = new ParameterizedSQL(
|
||||||
value LIKE '${where.value}%' DESC`);
|
`ORDER BY value LIKE ? DESC,
|
||||||
|
value LIKE ? DESC`, [
|
||||||
|
where.value,
|
||||||
|
`${where.value}%`
|
||||||
|
]);
|
||||||
|
ParameterizedSQL.append(newStmt, stmt);
|
||||||
}
|
}
|
||||||
|
|
||||||
stmt.merge(conn.makeLimit(filter));
|
stmt.merge(conn.makeLimit(filter));
|
||||||
|
|
|
||||||
|
|
@ -72,19 +72,21 @@
|
||||||
</vn-autocomplete>
|
</vn-autocomplete>
|
||||||
<vn-textfield
|
<vn-textfield
|
||||||
vn-one
|
vn-one
|
||||||
ng-show="tag.selection.isFree !== false"
|
ng-show="tag.selection.isFree || tag.selection.isFree == undefined"
|
||||||
vn-id="text"
|
vn-id="text"
|
||||||
label="Value"
|
label="Value"
|
||||||
ng-model="itemTag.value">
|
ng-model="itemTag.value">
|
||||||
</vn-textfield>
|
</vn-textfield>
|
||||||
<vn-autocomplete
|
<vn-autocomplete
|
||||||
vn-one
|
vn-one
|
||||||
ng-show="tag.selection.isFree === false"
|
ng-show="tag.selection.isFree === false"
|
||||||
url="{{$ctrl.getSourceTable(tag.selection)}}"
|
url="{{'Tags/' + itemTag.tagFk + '/filterValue'}}"
|
||||||
|
search-function="{value: $search}"
|
||||||
label="Value"
|
label="Value"
|
||||||
ng-model="itemTag.value"
|
ng-model="itemTag.value"
|
||||||
show-field="name"
|
show-field="value"
|
||||||
value-field="name">
|
value-field="value"
|
||||||
|
rule>
|
||||||
</vn-autocomplete>
|
</vn-autocomplete>
|
||||||
<vn-icon-button
|
<vn-icon-button
|
||||||
vn-none
|
vn-none
|
||||||
|
|
|
||||||
|
|
@ -55,18 +55,6 @@ class Controller extends SearchPanel {
|
||||||
this.$.filter = value;
|
this.$.filter = value;
|
||||||
}
|
}
|
||||||
|
|
||||||
getSourceTable(selection) {
|
|
||||||
if (!selection || selection.isFree === true)
|
|
||||||
return null;
|
|
||||||
|
|
||||||
if (selection.sourceTable) {
|
|
||||||
return ''
|
|
||||||
+ selection.sourceTable.charAt(0).toUpperCase()
|
|
||||||
+ selection.sourceTable.substring(1) + 's';
|
|
||||||
} else if (selection.sourceTable == null)
|
|
||||||
return `ItemTags/filterItemTags/${selection.id}`;
|
|
||||||
}
|
|
||||||
|
|
||||||
removeField(index, field) {
|
removeField(index, field) {
|
||||||
this.fieldFilters.splice(index, 1);
|
this.fieldFilters.splice(index, 1);
|
||||||
this.$.filter[field] = undefined;
|
this.$.filter[field] = undefined;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue