Skip to content

Commit

Permalink
Merge 9532ce9 into ed0ee5b
Browse files Browse the repository at this point in the history
  • Loading branch information
Ivansete-status authored Oct 14, 2024
2 parents ed0ee5b + 9532ce9 commit 1939ba4
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 2 deletions.
3 changes: 3 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,9 @@ jobs:
run: |
postgres_enabled=0
if [ ${{ runner.os }} == "Linux" ]; then
sudo apt-get update
sudo apt-get install -y libpcre3 libpcre3-dev
sudo docker run --rm -d -e POSTGRES_PASSWORD=test123 -p 5432:5432 postgres:15.4-alpine3.18
postgres_enabled=1
fi
Expand Down
34 changes: 32 additions & 2 deletions waku/common/databases/db_postgres/dbconn.nim
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import
std/[times, strutils, asyncnet, os, sequtils, sets],
std/[times, strutils, asyncnet, os, sequtils, sets, strformat],
results,
chronos,
chronos/threadsync,
Expand Down Expand Up @@ -207,13 +207,42 @@ proc waitQueryToFinish(

pqclear(pqResult)

proc containsRiskyPatterns(input: string): bool =
let riskyPatterns =
@[
" OR ", " AND ", " UNION ", " SELECT ", "INSERT ", "DELETE ", "UPDATE ", "DROP ",
"EXEC ", "--", "/*", "*/",
]

for pattern in riskyPatterns:
if pattern.toLowerAscii() in input.toLowerAscii():
return true

return false

proc isSecureString(input: string): bool =
## Returns `false` if the string contains risky characters or patterns, `true` otherwise.
let riskyChars = {'\'', '\"', ';', '-', '#', '\\', '%', '_', '/', '*', '\0'}

for ch in input:
if ch in riskyChars:
return false

if containsRiskyPatterns(input):
return false

return true

proc dbConnQuery*(
dbConnWrapper: DbConnWrapper,
query: SqlQuery,
args: seq[string],
rowCallback: DataProc,
requestId: string,
): Future[Result[void, string]] {.async, gcsafe.} =
if not requestId.isSecureString():
return err("the passed request id is not secure: " & requestId)

dbConnWrapper.futBecomeFree = newFuture[void]("dbConnQuery")

let cleanedQuery = ($query).replace(" ", "").replace("\n", "")
Expand All @@ -224,7 +253,8 @@ proc dbConnQuery*(

var queryStartTime = getTime().toUnixFloat()

(await dbConnWrapper.sendQuery(query, args)).isOkOr:
let reqIdAndQuery = "/* requestId=" & requestId & " */ " & $query
(await dbConnWrapper.sendQuery(SqlQuery(reqIdAndQuery), args)).isOkOr:
error "error in dbConnQuery", error = $error
dbConnWrapper.futBecomeFree.fail(newException(ValueError, $error))
return err("error in dbConnQuery calling sendQuery: " & $error)
Expand Down

0 comments on commit 1939ba4

Please sign in to comment.