rev: white-list check for layer names

changes per #522 (comment)
NOAA-OWP · Jul 18, 2023 · 57d00df · 57d00df
1 parent 2bcad90
commit 57d00df
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/src/geopackage/read.cpp b/src/geopackage/read.cpp
@@ -1,13 +1,27 @@
 #include "GeoPackage.hpp"
 
 #include <numeric>
+#include <regex>
+
+void check_table_name(const std::string& table)
+{
+    if (boost::algorithm::starts_with(table, "sqlite_"))
+        throw std::runtime_error("table `" + table + "` is not queryable");
+
+    std::regex allowed("[^-A-Za-z0-9_ ]+");
+    if (std::regex_match(table, allowed))
+        throw std::runtime_error("table `" + table + "` contains invalid characters");
+}
 
 std::shared_ptr<geojson::FeatureCollection> geopackage::read(
     const std::string& gpkg_path,
     const std::string& layer = "",
     const std::vector<std::string>& ids = {}
 )
 {
+    // Check for malicious/invalid layer input
+    check_table_name(layer);
+
     sqlite db(gpkg_path);
 
     // Check if layer exists