fix(db): validate table names and quote identifiers in raw SQL

This commit is contained in:
kolaente 2026-02-24 20:38:12 +01:00
parent 9d19a04550
commit 7e7e778d49
1 changed files with 21 additions and 2 deletions

View File

@ -18,6 +18,8 @@ package db
import (
"encoding/json"
"fmt"
"regexp"
"strings"
"code.vikunja.io/api/pkg/log"
@ -25,6 +27,15 @@ import (
"xorm.io/xorm/schemas"
)
var validTableName = regexp.MustCompile(`^[a-zA-Z_][a-zA-Z0-9_]*$`)
func validateTableName(table string) error {
if !validTableName.MatchString(table) {
return fmt.Errorf("invalid table name: %q", table)
}
return nil
}
// Dump dumps all database tables
func Dump() (data map[string][]byte, err error) {
tables, err := x.DBMetas()
@ -50,6 +61,10 @@ func Dump() (data map[string][]byte, err error) {
// Restore restores a table with all its entries
func Restore(table string, contents []map[string]interface{}) (err error) {
if err := validateTableName(table); err != nil {
return err
}
if _, err := x.IsTableExist(table); err != nil {
return err
}
@ -90,7 +105,7 @@ func Restore(table string, contents []map[string]interface{}) (err error) {
if Type() == schemas.POSTGRES {
idSequence := table + "_id_seq"
_, err = x.Query("SELECT setval('" + idSequence + "', COALESCE(MAX(id), 1) )")
_, err = x.Query(`SELECT setval('"` + idSequence + `"', COALESCE((SELECT MAX(id) FROM "` + table + `"), 1))`)
if err != nil {
log.Warningf("Could not reset id sequence for %s: %s", idSequence, err)
err = nil
@ -102,12 +117,16 @@ func Restore(table string, contents []map[string]interface{}) (err error) {
// RestoreAndTruncate removes all content from the table before restoring it from the contents map
func RestoreAndTruncate(table string, contents []map[string]interface{}) (err error) {
if err := validateTableName(table); err != nil {
return err
}
if _, err := x.IsTableExist(table); err != nil {
return err
}
if x.Dialect().URI().DBType == schemas.SQLITE {
if _, err := x.Query("DELETE FROM " + table); err != nil {
if _, err := x.Query(`DELETE FROM "` + table + `"`); err != nil {
return err
}
} else {