Skip to content

Commit

Permalink
Fix potential for injection attack
Browse files Browse the repository at this point in the history
  • Loading branch information
Yuck committed Mar 7, 2023
1 parent 486e0dc commit cd307d3
Show file tree
Hide file tree
Showing 14 changed files with 40 additions and 22 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
<GeneratePackageOnBuild>true</GeneratePackageOnBuild>
<Authors>Kevin J Lambert</Authors>
<Product>YuckQi.Data</Product>
<Version>6.2.0</Version>
<Version>6.2.1</Version>
<Description>An implementation of YuckQi.Data for MongoDB databases.</Description>
<RepositoryUrl>https://github.com/Yuck/YuckQi.Data.git</RepositoryUrl>
<RepositoryType>git</RepositoryType>
Expand Down
2 changes: 1 addition & 1 deletion src/YuckQi.Data.Sql.Dapper.MySql/SqlGenerator.cs
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ private static String BuildWhereSql(IEnumerable<FilterCriteria>? parameters)
var value = t.Value;
var comparison = BuildComparison(value, t.Operation);
var set = t.Value is IEnumerable enumerable
? (from Object? item in enumerable select item is String stringItem ? $"'{stringItem}'" : $"{item}").ToList()
? enumerable.Cast<Object>().ToArray().Select((_, i) => $"@{t.FieldName}{i}").ToList()
: null;
var parameter = t.Operation == FilterOperation.In
? set != null && set.Any()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<ImplicitUsings>enable</ImplicitUsings>
<GeneratePackageOnBuild>true</GeneratePackageOnBuild>
<Authors>Kevin J Lambert</Authors>
<Version>6.2.0</Version>
<Version>6.2.1</Version>
<Description>An implementation of YuckQi.Data for MySQL databases using Dapper and SimpleCRUD.</Description>
<Product>YuckQi.Data</Product>
<RepositoryUrl>https://github.com/Yuck/YuckQi.Data.git</RepositoryUrl>
Expand Down
2 changes: 1 addition & 1 deletion src/YuckQi.Data.Sql.Dapper.Oracle/SqlGenerator.cs
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ private static String BuildWhereSql(IEnumerable<FilterCriteria>? parameters)
var value = t.Value;
var comparison = BuildComparison(value, t.Operation);
var set = t.Value is IEnumerable enumerable
? (from Object? item in enumerable select item is String stringItem ? $"'{stringItem}'" : $"{item}").ToList()
? enumerable.Cast<Object>().ToArray().Select((_, i) => $":{t.FieldName}{i}").ToList()
: null;
var parameter = t.Operation == FilterOperation.In
? set != null && set.Any()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<ImplicitUsings>enable</ImplicitUsings>
<Description>An implementation of YuckQi.Data for Oracle databases using Dapper and SimpleCRUD.</Description>
<Authors>Kevin J Lambert</Authors>
<Version>6.2.0</Version>
<Version>6.2.1</Version>
<GeneratePackageOnBuild>true</GeneratePackageOnBuild>
<Product>YuckQi.Data</Product>
<RepositoryUrl>https://github.com/Yuck/YuckQi.Data.git</RepositoryUrl>
Expand Down
2 changes: 1 addition & 1 deletion src/YuckQi.Data.Sql.Dapper.SqlServer/SqlGenerator.cs
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ private static String BuildWhereSql(IEnumerable<FilterCriteria>? parameters)
var value = t.Value;
var comparison = BuildComparison(value, t.Operation);
var set = t.Value is IEnumerable enumerable
? (from Object? item in enumerable select item is String stringItem ? $"'{stringItem}'" : $"{item}").ToList()
? enumerable.Cast<Object>().ToArray().Select((_, i) => $"@{t.FieldName}{i}").ToList()
: null;
var parameter = t.Operation == FilterOperation.In
? set != null && set.Any()
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<ImplicitUsings>enable</ImplicitUsings>
<GeneratePackageOnBuild>true</GeneratePackageOnBuild>
<Authors>Kevin J Lambert</Authors>
<Version>6.2.0</Version>
<Version>6.2.1</Version>
<Description>An implementation of YuckQi.Data for MSSQL databases using Dapper and SimpleCRUD.</Description>
<Product>YuckQi.Data</Product>
<RepositoryUrl>https://github.com/Yuck/YuckQi.Data.git</RepositoryUrl>
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
using System.Data;
using System.Collections;
using System.Data;
using Dapper;
using YuckQi.Data.Filtering;

Expand All @@ -14,14 +15,31 @@ public static DynamicParameters ToDynamicParameters(this IEnumerable<FilterCrite
return result;

foreach (var parameter in parameters)
{
var name = parameter.FieldName;
var value = parameter.Value;
var type = value?.GetType();
var dbType = dbTypeMap != null && type != null && dbTypeMap.TryGetValue(type, out var mapped) ? (DbType?) mapped : null;

result.Add(name, value, dbType);
}
if (parameter.Operation == FilterOperation.In)
{
var set = parameter.Value is IEnumerable enumerable
? enumerable.Cast<Object>().ToArray()
: throw new ArgumentException($"{nameof(parameter.Value)} must be convertible to {nameof(IEnumerable)}.");

for (var i = 0; i <= set.Length; i++)
{
var name = $"{parameter.FieldName}{i}";
var value = set[i];
var type = value?.GetType();
var dbType = dbTypeMap != null && type != null && dbTypeMap.TryGetValue(type, out var mapped) ? (DbType?) mapped : null;

result.Add(name, value, dbType);
}
}
else
{
var name = parameter.FieldName;
var value = parameter.Value;
var type = value?.GetType();
var dbType = dbTypeMap != null && type != null && dbTypeMap.TryGetValue(type, out var mapped) ? (DbType?) mapped : null;

result.Add(name, value, dbType);
}

return result;
}
Expand Down
2 changes: 1 addition & 1 deletion src/YuckQi.Data.Sql.Dapper/YuckQi.Data.Sql.Dapper.csproj
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<ImplicitUsings>enable</ImplicitUsings>
<GeneratePackageOnBuild>true</GeneratePackageOnBuild>
<Authors>Kevin J Lambert</Authors>
<Version>6.2.0</Version>
<Version>6.2.1</Version>
<Description>An implementation of YuckQi.Data for SQL databases using Dapper and SimpleCRUD.</Description>
<Product>YuckQi.Data</Product>
<RepositoryUrl>https://github.com/Yuck/YuckQi.Data.git</RepositoryUrl>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<ImplicitUsings>enable</ImplicitUsings>
<GeneratePackageOnBuild>true</GeneratePackageOnBuild>
<Authors>Kevin J Lambert</Authors>
<Version>6.2.0</Version>
<Version>6.2.1</Version>
<Description>An implementation of YuckQi.Data for SQL databases using Entity Framework.</Description>
<Product>YuckQi.Data</Product>
<RepositoryUrl>https://github.com/Yuck/YuckQi.Data.git</RepositoryUrl>
Expand Down
2 changes: 1 addition & 1 deletion src/YuckQi.Data/YuckQi.Data.csproj
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
<ImplicitUsings>enable</ImplicitUsings>
<GeneratePackageOnBuild>true</GeneratePackageOnBuild>
<Authors>Kevin J Lambert</Authors>
<Version>6.2.0</Version>
<Version>6.2.1</Version>
<Description>A .NET library of lightweight data access handlers which can be used to compose repositories and domain services.</Description>
<RepositoryUrl>https://github.com/Yuck/YuckQi.Data.git</RepositoryUrl>
<RepositoryType>git</RepositoryType>
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ public void GenerateGetQuery_WithInOperation_IsValid()
var parameters = new[] { new FilterCriteria("Name", FilterOperation.In, new[] { "Bill", "Billy", "Mac", "Buddy" }) };
var sql = generator.GenerateGetQuery(parameters).Replace(Environment.NewLine, " ");

Assert.That(sql, Is.EqualTo("select `Id`, `Name` from `SurLaTable` where (`Name` in ('Bill','Billy','Mac','Buddy'));"));
Assert.That(sql, Is.EqualTo("select `Id`, `Name` from `SurLaTable` where (`Name` in (@Name0,@Name1,@Name2,@Name3));"));
}

[Test]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ public void GenerateGetQuery_WithInOperation_IsValid()
var parameters = new[] { new FilterCriteria("Name", FilterOperation.In, new[] { "Bill", "Billy", "Mac", "Buddy" }) };
var sql = generator.GenerateGetQuery(parameters).Replace(Environment.NewLine, " ");

Assert.That(sql, Is.EqualTo("select \"Id\", \"Name\" from \"SurLaTable\" where (\"Name\" in ('Bill','Billy','Mac','Buddy'));"));
Assert.That(sql, Is.EqualTo("select \"Id\", \"Name\" from \"SurLaTable\" where (\"Name\" in (:Name0,:Name1,:Name2,:Name3));"));
}

[Test]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ public void GenerateGetQuery_WithInOperation_IsValid()
var parameters = new[] { new FilterCriteria("Name", FilterOperation.In, new[] { "Bill", "Billy", "Mac", "Buddy" }) };
var sql = generator.GenerateGetQuery(parameters).Replace(Environment.NewLine, " ");

Assert.That(sql, Is.EqualTo("select [Id], [Name] from [dbo].[SurLaTable] where ([Name] in ('Bill','Billy','Mac','Buddy'));"));
Assert.That(sql, Is.EqualTo("select [Id], [Name] from [dbo].[SurLaTable] where ([Name] in (@Name0,@Name1,@Name2,@Name3));"));
}

[Test]
Expand Down

0 comments on commit cd307d3

Please sign in to comment.