Made the issue stats query more secure with parameterized placeholders (#2895)
This commit is contained in:
parent
7049cb9d97
commit
dfad51fe9e
137
models/issue.go
137
models/issue.go
|
@ -547,7 +547,7 @@ func Issues(opts *IssuesOptions) ([]*Issue, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
|
labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
|
||||||
if len(labelIDs) > 1 {
|
if opts.Labels != "" && len(labelIDs) > 0 {
|
||||||
sess.Join("INNER", "issue_label", "issue.id = issue_label.issue_id").In("issue_label.label_id", labelIDs)
|
sess.Join("INNER", "issue_label", "issue.id = issue_label.issue_id").In("issue_label.label_id", labelIDs)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -769,7 +769,7 @@ func parseCountResult(results []map[string][]byte) int64 {
|
||||||
type IssueStatsOptions struct {
|
type IssueStatsOptions struct {
|
||||||
RepoID int64
|
RepoID int64
|
||||||
UserID int64
|
UserID int64
|
||||||
LabelID int64
|
Labels string
|
||||||
MilestoneID int64
|
MilestoneID int64
|
||||||
AssigneeID int64
|
AssigneeID int64
|
||||||
FilterMode int
|
FilterMode int
|
||||||
|
@ -780,41 +780,58 @@ type IssueStatsOptions struct {
|
||||||
func GetIssueStats(opts *IssueStatsOptions) *IssueStats {
|
func GetIssueStats(opts *IssueStatsOptions) *IssueStats {
|
||||||
stats := &IssueStats{}
|
stats := &IssueStats{}
|
||||||
|
|
||||||
queryStr := "SELECT COUNT(*) FROM `issue` "
|
countSession := func(opts *IssueStatsOptions) *xorm.Session {
|
||||||
if opts.LabelID > 0 {
|
sess := x.Where("issue.repo_id = ?", opts.RepoID).And("issue.is_pull = ?", opts.IsPull)
|
||||||
queryStr += "INNER JOIN `issue_label` ON `issue`.id=`issue_label`.issue_id AND `issue_label`.label_id=" + com.ToStr(opts.LabelID)
|
|
||||||
|
labelIDs := base.StringsToInt64s(strings.Split(opts.Labels, ","))
|
||||||
|
if opts.Labels != "" && len(labelIDs) > 0 {
|
||||||
|
sess.Join("INNER", "issue_label", "issue.id = issue_label.issue_id").In("issue_label.label_id", labelIDs)
|
||||||
}
|
}
|
||||||
|
|
||||||
baseCond := " WHERE issue.repo_id=" + com.ToStr(opts.RepoID) + " AND issue.is_closed=?"
|
|
||||||
if opts.MilestoneID > 0 {
|
if opts.MilestoneID > 0 {
|
||||||
baseCond += " AND issue.milestone_id=" + com.ToStr(opts.MilestoneID)
|
sess.And("issue.milestone_id = ?", opts.MilestoneID)
|
||||||
}
|
}
|
||||||
|
|
||||||
if opts.AssigneeID > 0 {
|
if opts.AssigneeID > 0 {
|
||||||
baseCond += " AND assignee_id=" + com.ToStr(opts.AssigneeID)
|
sess.And("assignee_id = ?", opts.AssigneeID)
|
||||||
|
}
|
||||||
|
|
||||||
|
return sess
|
||||||
}
|
}
|
||||||
baseCond += " AND issue.is_pull=?"
|
|
||||||
|
|
||||||
switch opts.FilterMode {
|
switch opts.FilterMode {
|
||||||
case FM_ALL, FM_ASSIGN:
|
case FM_ALL, FM_ASSIGN:
|
||||||
results, _ := x.Query(queryStr+baseCond, false, opts.IsPull)
|
stats.OpenCount, _ = countSession(opts).
|
||||||
stats.OpenCount = parseCountResult(results)
|
And("issue.is_closed = ?", false).
|
||||||
results, _ = x.Query(queryStr+baseCond, true, opts.IsPull)
|
Count(&Issue{})
|
||||||
stats.ClosedCount = parseCountResult(results)
|
|
||||||
|
|
||||||
|
stats.ClosedCount, _ = countSession(opts).
|
||||||
|
And("issue.is_closed = ?", true).
|
||||||
|
Count(&Issue{})
|
||||||
case FM_CREATE:
|
case FM_CREATE:
|
||||||
baseCond += " AND poster_id=?"
|
stats.OpenCount, _ = countSession(opts).
|
||||||
results, _ := x.Query(queryStr+baseCond, false, opts.IsPull, opts.UserID)
|
And("poster_id = ?", opts.UserID).
|
||||||
stats.OpenCount = parseCountResult(results)
|
And("issue.is_closed = ?", false).
|
||||||
results, _ = x.Query(queryStr+baseCond, true, opts.IsPull, opts.UserID)
|
Count(&Issue{})
|
||||||
stats.ClosedCount = parseCountResult(results)
|
|
||||||
|
|
||||||
|
stats.ClosedCount, _ = countSession(opts).
|
||||||
|
And("poster_id = ?", opts.UserID).
|
||||||
|
And("issue.is_closed = ?", true).
|
||||||
|
Count(&Issue{})
|
||||||
case FM_MENTION:
|
case FM_MENTION:
|
||||||
queryStr += " INNER JOIN `issue_user` ON `issue`.id=`issue_user`.issue_id"
|
stats.OpenCount, _ = countSession(opts).
|
||||||
baseCond += " AND `issue_user`.uid=? AND `issue_user`.is_mentioned=?"
|
Join("INNER", "issue_user", "issue.id = issue_user.issue_id").
|
||||||
results, _ := x.Query(queryStr+baseCond, false, opts.IsPull, opts.UserID, true)
|
And("issue_user.uid = ?", opts.UserID).
|
||||||
stats.OpenCount = parseCountResult(results)
|
And("issue_user.is_mentioned = ?", true).
|
||||||
results, _ = x.Query(queryStr+baseCond, true, opts.IsPull, opts.UserID, true)
|
And("issue.is_closed = ?", false).
|
||||||
stats.ClosedCount = parseCountResult(results)
|
Count(&Issue{})
|
||||||
|
|
||||||
|
stats.ClosedCount, _ = countSession(opts).
|
||||||
|
Join("INNER", "issue_user", "issue.id = issue_user.issue_id").
|
||||||
|
And("issue_user.uid = ?", opts.UserID).
|
||||||
|
And("issue_user.is_mentioned = ?", true).
|
||||||
|
And("issue.is_closed = ?", true).
|
||||||
|
Count(&Issue{})
|
||||||
}
|
}
|
||||||
return stats
|
return stats
|
||||||
}
|
}
|
||||||
|
@ -823,64 +840,70 @@ func GetIssueStats(opts *IssueStatsOptions) *IssueStats {
|
||||||
func GetUserIssueStats(repoID, uid int64, repoIDs []int64, filterMode int, isPull bool) *IssueStats {
|
func GetUserIssueStats(repoID, uid int64, repoIDs []int64, filterMode int, isPull bool) *IssueStats {
|
||||||
stats := &IssueStats{}
|
stats := &IssueStats{}
|
||||||
|
|
||||||
queryStr := "SELECT COUNT(*) FROM `issue` "
|
countSession := func(isClosed, isPull bool, repoID int64, repoIDs []int64) *xorm.Session {
|
||||||
baseCond := " WHERE issue.is_closed=?"
|
sess := x.Where("issue.is_closed = ?", isClosed).And("issue.is_pull = ?", isPull)
|
||||||
|
|
||||||
if repoID > 0 || len(repoIDs) == 0 {
|
if repoID > 0 || len(repoIDs) == 0 {
|
||||||
baseCond += " AND issue.repo_id=" + com.ToStr(repoID)
|
sess.And("issue.repo_id = ?", repoID)
|
||||||
} else {
|
} else {
|
||||||
baseCond += " AND issue.repo_id IN (" + strings.Join(base.Int64sToStrings(repoIDs), ",") + ")"
|
sess.In("issue.repo_id", repoIDs)
|
||||||
}
|
}
|
||||||
|
|
||||||
if isPull {
|
return sess
|
||||||
baseCond += " AND issue.is_pull=1"
|
|
||||||
} else {
|
|
||||||
baseCond += " AND issue.is_pull=0"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
results, _ := x.Query(queryStr+baseCond+" AND assignee_id=?", false, uid)
|
stats.AssignCount, _ = countSession(false, isPull, repoID, repoIDs).
|
||||||
stats.AssignCount = parseCountResult(results)
|
And("assignee_id = ?", uid).
|
||||||
results, _ = x.Query(queryStr+baseCond+" AND poster_id=?", false, uid)
|
Count(&Issue{})
|
||||||
stats.CreateCount = parseCountResult(results)
|
|
||||||
|
stats.CreateCount, _ = countSession(false, isPull, repoID, repoIDs).
|
||||||
|
And("assignee_id = ?", uid).
|
||||||
|
Count(&Issue{})
|
||||||
|
|
||||||
|
openCountSession := countSession(false, isPull, repoID, repoIDs)
|
||||||
|
closedCountSession := countSession(true, isPull, repoID, repoIDs)
|
||||||
|
|
||||||
switch filterMode {
|
switch filterMode {
|
||||||
case FM_ASSIGN:
|
case FM_ASSIGN:
|
||||||
baseCond += " AND assignee_id=" + com.ToStr(uid)
|
openCountSession.And("assignee_id = ?", uid)
|
||||||
|
closedCountSession.And("assignee_id = ?", uid)
|
||||||
case FM_CREATE:
|
case FM_CREATE:
|
||||||
baseCond += " AND poster_id=" + com.ToStr(uid)
|
openCountSession.And("poster_id = ?", uid)
|
||||||
|
closedCountSession.And("poster_id = ?", uid)
|
||||||
}
|
}
|
||||||
|
|
||||||
results, _ = x.Query(queryStr+baseCond, false)
|
stats.OpenCount, _ = openCountSession.Count(&Issue{})
|
||||||
stats.OpenCount = parseCountResult(results)
|
stats.ClosedCount, _ = closedCountSession.Count(&Issue{})
|
||||||
results, _ = x.Query(queryStr+baseCond, true)
|
|
||||||
stats.ClosedCount = parseCountResult(results)
|
|
||||||
return stats
|
return stats
|
||||||
}
|
}
|
||||||
|
|
||||||
// GetRepoIssueStats returns number of open and closed repository issues by given filter mode.
|
// GetRepoIssueStats returns number of open and closed repository issues by given filter mode.
|
||||||
func GetRepoIssueStats(repoID, uid int64, filterMode int, isPull bool) (numOpen int64, numClosed int64) {
|
func GetRepoIssueStats(repoID, uid int64, filterMode int, isPull bool) (numOpen int64, numClosed int64) {
|
||||||
queryStr := "SELECT COUNT(*) FROM `issue` "
|
countSession := func(isClosed, isPull bool, repoID int64) *xorm.Session {
|
||||||
baseCond := " WHERE issue.repo_id=? AND issue.is_closed=?"
|
sess := x.Where("issue.repo_id = ?", isClosed).
|
||||||
|
And("issue.is_pull = ?", isPull).
|
||||||
|
And("issue.repo_id = ?", repoID)
|
||||||
|
|
||||||
if isPull {
|
return sess
|
||||||
baseCond += " AND issue.is_pull=1"
|
|
||||||
} else {
|
|
||||||
baseCond += " AND issue.is_pull=0"
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
openCountSession := countSession(false, isPull, repoID)
|
||||||
|
closedCountSession := countSession(true, isPull, repoID)
|
||||||
|
|
||||||
switch filterMode {
|
switch filterMode {
|
||||||
case FM_ASSIGN:
|
case FM_ASSIGN:
|
||||||
baseCond += " AND assignee_id=" + com.ToStr(uid)
|
openCountSession.And("assignee_id = ?", uid)
|
||||||
|
closedCountSession.And("assignee_id = ?", uid)
|
||||||
case FM_CREATE:
|
case FM_CREATE:
|
||||||
baseCond += " AND poster_id=" + com.ToStr(uid)
|
openCountSession.And("poster_id = ?", uid)
|
||||||
|
closedCountSession.And("poster_id = ?", uid)
|
||||||
}
|
}
|
||||||
|
|
||||||
results, _ := x.Query(queryStr+baseCond, repoID, false)
|
openResult, _ := openCountSession.Count(&Issue{})
|
||||||
numOpen = parseCountResult(results)
|
closedResult, _ := closedCountSession.Count(&Issue{})
|
||||||
results, _ = x.Query(queryStr+baseCond, repoID, true)
|
|
||||||
numClosed = parseCountResult(results)
|
return openResult, closedResult
|
||||||
return numOpen, numClosed
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func updateIssue(e Engine, issue *Issue) error {
|
func updateIssue(e Engine, issue *Issue) error {
|
||||||
|
|
|
@ -146,7 +146,7 @@ func Issues(ctx *context.Context) {
|
||||||
issueStats := models.GetIssueStats(&models.IssueStatsOptions{
|
issueStats := models.GetIssueStats(&models.IssueStatsOptions{
|
||||||
RepoID: repo.ID,
|
RepoID: repo.ID,
|
||||||
UserID: uid,
|
UserID: uid,
|
||||||
LabelID: com.StrTo(selectLabels).MustInt64(),
|
Labels: selectLabels,
|
||||||
MilestoneID: milestoneID,
|
MilestoneID: milestoneID,
|
||||||
AssigneeID: assigneeID,
|
AssigneeID: assigneeID,
|
||||||
FilterMode: filterMode,
|
FilterMode: filterMode,
|
||||||
|
|
Loading…
Reference in a new issue