arithefirst/svchat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Avoid CQL Injection in messages

Browse Source
This commit is contained in:
April Hall 2025-02-06 17:20:22 -05:00
parent c29b76cc7d
commit 8820729be4
Signed by: arithefirst
GPG Key ID: 4508A15C4DB91C5B
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/lib/server/db/index.ts
View File

@ -33,8 +33,13 @@ class Db {
async sendMessage(channelName: string, content: string, sender: string, id: string) { async sendMessage(channelName: string, content: string, sender: string, id: string) {
try { try {
const now = new Date(); const now = new Date();
await this.client.execute(`INSERT INTO channels.${channelName} (id, message_content, channel_name, timestamp, sender) await this.client.execute(`INSERT INTO channels.${channelName} (id, message_content, channel_name, timestamp, sender) VALUES (?, ?, ?, ?, ?)`, {
VALUES (${id}, '${content}', '${channelName}', ${now.getTime()}, ${sender})`); id,
message_content: content,
channel_name: channelName,
timestamp: now.getTime(),
sender,
});
} catch (e) { } catch (e) {
console.log(`Error storing messages: ${e as Error}`); console.log(`Error storing messages: ${e as Error}`);
} }
@ -54,9 +59,9 @@ class Db {
// Get messages method // Get messages method
async getMessages(channelName: string, limit: number): Promise<Messages> { async getMessages(channelName: string, limit: number): Promise<Messages> {
try { try {
const res = await this.client.execute( const res = await this.client.execute(`SELECT * FROM channels.${channelName} WHERE channel_name = ? ORDER BY timestamp DESC LIMIT ${limit}`, {
`SELECT * FROM channels.${channelName} WHERE channel_name = '${channelName}' ORDER BY timestamp DESC LIMIT ${limit}`, channel_name: channelName,
); });
return { return {
messages: res.rows, messages: res.rows,
error: null, error: null,