semaphore icon indicating copy to clipboard operation
semaphore copied to clipboard
verified publisher icon semaphoreui

Fix code scanning alert no. 8: Database query built from user-controlled sources

Open fiftin opened this issue 1 year ago • 0 comments

Fixes https://github.com/semaphoreui/semaphore/security/code-scanning/8

To fix the problem, we need to ensure that user-controlled values are safely embedded into the SQL query. This can be achieved by using parameterized queries or prepared statements. Specifically, we should avoid directly concatenating the orderColumn and orderDirection into the query string. Instead, we can use the squirrel library's methods to safely construct the query.

  1. Modify the getObjectsByReferrer function to use parameterized queries for the ORDER BY clause.
  2. Ensure that the orderColumn and orderDirection values are safely embedded into the query using the squirrel.Expr method.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

fiftin avatar Sep 28 '24 12:09 fiftin