ESSNTL-4817: send valid json to sql

RedHatInsights · Jul 27, 2023 · cb7a3b9 · cb7a3b9
1 parent ecfcdc7
commit cb7a3b9
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 17 deletions.
diff --git a/conf/local.env b/conf/local.env
@@ -1,5 +1,6 @@
 GIN_MODE=release
 LOG_LEVEL=DEBUG
+DB_DEBUG=true
 
 USE_TESTING_DB=1
 ACG_CONFIG=./conf/cdappconfig.json

diff --git a/conf/test.env b/conf/test.env
@@ -1,6 +1,5 @@
 GIN_MODE=release
 LOG_LEVEL=DEBUG
-DB_DEBUG=true
 
 USE_TESTING_DB=1
 

diff --git a/manager/controllers/systems_test.go b/manager/controllers/systems_test.go
@@ -112,6 +112,26 @@ func TestSystemsTagsInvalid(t *testing.T) {
 	assert.Equal(t, fmt.Sprintf(InvalidTagMsg, "invalidTag"), errResp.Error)
 }
 
+func TestSystemsTagsEscaping1(t *testing.T) {
+	output := testSystems(t, `/?tags=ns1/k3=val4&tags="ns/key=quote"`, 1)
+	assert.Equal(t, 0, len(output.Data))
+}
+
+func TestSystemsTagsEscaping2(t *testing.T) {
+	output := testSystems(t, `/?tags=ns1/k3=val4&tags='ns/key=singlequote'`, 1)
+	assert.Equal(t, 0, len(output.Data))
+}
+
+func TestSystemsTagsEscaping3(t *testing.T) {
+	output := testSystems(t, `/?tags=ns1/k3=val4&tags='ns/key=inside""quote'`, 1)
+	assert.Equal(t, 0, len(output.Data))
+}
+
+func TestSystemsTagsEscaping4(t *testing.T) {
+	output := testSystems(t, `/?tags=ns1/k3=val4&tags=ne/key="{{malformed json}}"`, 1)
+	assert.Equal(t, 0, len(output.Data))
+}
+
 func TestSystemsWorkloads1(t *testing.T) {
 	url := "/?filter[system_profile][sap_system]=true&filter[system_profile][sap_sids]=ABC"
 	output := testSystems(t, url, 1)
@@ -131,6 +151,17 @@ func TestSystemsWorkloads3(t *testing.T) {
 	assert.Equal(t, 0, len(output.Data))
 }
 
+func TestSystemsWorkloadEscaping1(t *testing.T) {
+	url := "/?filter[system_profile][sap_sids]='singlequote'"
+	output := testSystems(t, url, 1)
+	assert.Equal(t, 0, len(output.Data))
+}
+
+func TestSystemsWorkloadEscaping2(t *testing.T) {
+	url := `/?filter[system_profile][sap_sids]="{{malformed json}}"`
+	output := testSystems(t, url, 1)
+	assert.Equal(t, 0, len(output.Data))
+}
 func TestSystemsPackagesCount(t *testing.T) {
 	output := testSystems(t, "/?sort=-packages_installed,id", 3)
 	assert.Equal(t, 5, len(output.Data))

diff --git a/manager/controllers/utils.go b/manager/controllers/utils.go
@@ -286,9 +286,9 @@ func ApplySearch(c *gin.Context, tx *gorm.DB, searchColumns ...string) (*gorm.DB
 }
 
 type Tag struct {
-	Namespace *string
-	Key       string
-	Value     *string
+	Namespace *string `json:"namespace,omitempty"`
+	Key       string  `json:"key"`
+	Value     *string `json:"value,omitempty"`
 }
 
 func HasInventoryFilter(filters Filters) bool {
@@ -338,18 +338,8 @@ func (t *Tag) ApplyTag(tx *gorm.DB) *gorm.DB {
 		return tx
 	}
 
-	ns := ""
-	if t.Namespace != nil {
-		ns = fmt.Sprintf(`"namespace": "%s",`, *t.Namespace)
-	}
-
-	v := ""
-	if t.Value != nil {
-		v = fmt.Sprintf(`, "value":"%s"`, *t.Value)
-	}
-
-	query := fmt.Sprintf(`[{%s "key": "%s" %s}]`, ns, t.Key, v)
-	return tx.Where("ih.tags @> ?::jsonb", query)
+	tagStr, _ := json.Marshal([]Tag{*t})
+	return tx.Where("ih.tags @> ?::jsonb", tagStr)
 }
 
 func ParseInventoryFilters(c *gin.Context, opts ListOpts) (Filters, Filters, error) {
@@ -472,7 +462,8 @@ func buildSystemProfileQuery(tx *gorm.DB, key string, values []string) *gorm.DB
 	switch key {
 	case "sap_sids":
 		cmp = "::jsonb @> ?::jsonb"
-		val = fmt.Sprintf(`["%s"]`, strings.Join(values, `","`))
+		bval, _ := json.Marshal(values)
+		val = string(bval)
 	default:
 		cmp = "::text = ?"
 		val = values[0]