Fix SQL injection.

2026-05-25 02:00:10 +02:00 · 2015-02-23 11:00:34 +00:00
parent 4561409450
commit 77c4576b59
2 changed files with 5 additions and 4 deletions
--- a/services/git-bridge/src/main/java/uk/ac/ic/wlgitbridge/writelatex/model/db/sql/update/delete/DeleteFilesForProjectSQLUpdate.java
+++ b/services/git-bridge/src/main/java/uk/ac/ic/wlgitbridge/writelatex/model/db/sql/update/delete/DeleteFilesForProjectSQLUpdate.java
@@ -25,9 +25,7 @@ public class DeleteFilesForProjectSQLUpdate implements SQLUpdate {
    public String getSQL() {
        StringBuilder sb = new StringBuilder(DELETE_URL_INDEXES_FOR_PROJECT_NAME);
        for (int i = 0; i < paths.length; i++) {
-            sb.append('\'');
-            sb.append(paths[i]);
-            sb.append('\'');
+            sb.append("?");
            if (i < paths.length - 1) {
                sb.append(", ");
            }
@@ -39,6 +37,9 @@ public class DeleteFilesForProjectSQLUpdate implements SQLUpdate {
    @Override
    public void addParametersToStatement(PreparedStatement statement) throws SQLException {
        statement.setString(1, projectName);
+        for (int i = 0; i < paths.length; i++) {
+            statement.setString(i + 2, paths[i]);
+        }
    }

 }
--- a/services/git-bridge/src/test/java/uk/ac/ic/wlgitbridge/writelatex/model/db/sql/update/delete/DeleteFilesForProjectSQLUpdateTest.java
+++ b/services/git-bridge/src/test/java/uk/ac/ic/wlgitbridge/writelatex/model/db/sql/update/delete/DeleteFilesForProjectSQLUpdateTest.java
@@ -8,7 +8,7 @@ public class DeleteFilesForProjectSQLUpdateTest {
    @Test
    public void testGetSQL() {
        DeleteFilesForProjectSQLUpdate update = new DeleteFilesForProjectSQLUpdate("projname", "path1", "path2");
-        assertEquals("DELETE FROM `url_index_store` WHERE `project_name` = ? AND path IN ('path1', 'path2');\n", update.getSQL());
+        assertEquals("DELETE FROM `url_index_store` WHERE `project_name` = ? AND path IN (?, ?);\n", update.getSQL());
    }

 }