From ca3a0d564d6a63224287fc5bdd92914e802530de Mon Sep 17 00:00:00 2001 From: Azanul Date: Mon, 17 Jun 2024 20:27:35 +0530 Subject: [PATCH] fix: user controlled queries Signed-off-by: Azanul --- handlers/dashboard_handler.go | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/handlers/dashboard_handler.go b/handlers/dashboard_handler.go index 77c412fc7..8c199725f 100644 --- a/handlers/dashboard_handler.go +++ b/handlers/dashboard_handler.go @@ -172,14 +172,23 @@ func (handler *ApiHandler) CostBreakdownHandler(c *gin.Context) { } if len(input.Exclude) > 0 { - s, _ := json.Marshal(input.Exclude) - err = handler.db.NewRaw(fmt.Sprintf(`%s ? NOT IN (%s) AND DATE(fetched_at) BETWEEN '%s' AND '%s' GROUP BY ?;`, query, strings.Trim(string(s), "[]"), input.Start, input.End), bun.Ident(input.Group), bun.Ident(input.Group)).Scan(handler.ctx, &groups) + s, err := json.Marshal(input.Exclude) + if err != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to process exclude list"}) + return + } + excludeList := strings.Trim(string(s), "[]") + excludeList = strings.ReplaceAll(excludeList, `"`, "'") + + query := fmt.Sprintf(`%s ? NOT IN (%s) AND DATE(fetched_at) BETWEEN ? AND ? GROUP BY ?`, query, excludeList) + err = handler.db.NewRaw(query, bun.Ident(input.Group), input.Start, input.End, bun.Ident(input.Group)).Scan(handler.ctx, &groups) if err != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) return } } else { - err := handler.db.NewRaw(fmt.Sprintf(`%s DATE(fetched_at) BETWEEN '%s' AND '%s' GROUP BY period, ?;`, query, input.Start, input.End), bun.Ident(input.Group)).Scan(handler.ctx, &groups) + query := fmt.Sprintf(`%s DATE(fetched_at) BETWEEN ? AND ? GROUP BY period, ?`, query) + err := handler.db.NewRaw(query, input.Start, input.End, bun.Ident(input.Group)).Scan(handler.ctx, &groups) if err != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": err.Error()}) return