tvolkmann/travopti
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Hotfix: sql sanitzer now checks if parameter is a number

Browse Source
This commit is contained in:
Timo John 2020-06-24 13:23:48 +02:00
parent 8c296e9397
commit 3ae3aca9a5
7 changed files with 47 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
backend/routes/climate.js
View File

@ -1,4 +1,6 @@
const router = require("express").Router()
// Models
const handleClimateUpdate = require("../models/handleClimateUpdate.js")
module.exports = dbConn => {

7
backend/routes/countries.js
View File

@ -1,8 +1,11 @@
const router = require("express").Router();
// Models
const getCountries = require("../models/getCountries.js");
const getCountryById = require("../models/getCountryById.js");
const sqlstring = require("sqlstring")
// Utils
const sqlSanitzer = require("../util/sqlstring_sanitizer.js")
module.exports = dbConn => {
router.get("/api/v1/countries", async (req, res) => {
@ -10,7 +13,7 @@ module.exports = dbConn => {
});
router.get("/api/v1/countries/:id", async (req, res) => {
const id = sqlstring.escape(req.params.id);
const id = sqlSanitzer(req.params.id);
res.json(await getCountryById(dbConn, id))
});
return router;

11
backend/routes/place.js
View File

@ -1,8 +1,13 @@
const router = require("express").Router()
// Models
const getPlace = require("../models/getPlace.js")
const getPlaceNearby = require("../models/getPlaceNearby.js")
const getPlacePhoto = require("../models/getPlacePhoto.js")
// Utils
const sqlSanitzer = require("../util/sqlstring_sanitizer.js")
module.exports = dbConn => {
router.get("/api/v1/place", async (req, res) => {
const place = await getPlace(req.query.q)
@ -10,14 +15,14 @@ module.exports = dbConn => {
});
router.get("/api/v1/place/nearby", async (req, res) => {
const lat = sqlstring.escape(req.query.lat)
const lng = sqlstring.escape(req.query.lng)
const lat = req.query.lat
const lng = req.query.lng
const place = await getPlaceNearby(lat, lng)
res.json(place)
});
router.get("/api/v1/place/photo", async (req, res) => {
const photoref = sqlstring.escape(req.query.photoref)
const photoref = req.query.photoref
const photo = await getPlacePhoto(photoref)
res.json(photo)
});

14
backend/routes/regions.js
View File

@ -1,17 +1,21 @@
const router = require("express").Router();
// Models
const getRegions = require("../models/getRegions.js");
const getRegionById = require("../models/getRegionById.js");
const getRegionNearbyById = require("../models/getRegionNearbyById.js")
// Utils
const path = require("path");
const fs = require("fs");
const _ = require('lodash')
const sqlstring = require("sqlstring")
const sqlSanitzer = require("../util/sqlstring_sanitizer.js")
module.exports = dbConn => {
router.get("/api/v1/regions", async (req, res) => {
const data = await getRegions(dbConn)
if (req.query.randomize) {
const randomize = sqlstring.escape(req.query.randomize)
const randomize = sqlSanitzer(req.query.randomize)
res.json(_.sampleSize(data, randomize))
} else {
res.json(data);
@ -19,7 +23,9 @@ module.exports = dbConn => {
});
router.get("/api/v1/regions/:id", async (req, res) => {
const id = sqlstring.escape(req.params.id);
console.log(typeof req.params.id)
const id = sqlSanitzer(req.params.id);
console.log(id)
res.json(await getRegionById(dbConn, id))
});
@ -32,7 +38,7 @@ module.exports = dbConn => {
})
router.get("/api/v1/regions/:id/nearby", async (req,res) => {
const id = sqlstring.escape(req.params.id);
const id = sqlSanitzer(req.params.id);
res.json(await getRegionNearbyById(dbConn,id))
});
return router;

9
backend/routes/search.js
View File

@ -1,14 +1,17 @@
const router = require("express").Router();
const _ = require('lodash')
// Models
const getRegions = require('../models/getRegions.js');
const getSearchPresets = require("../models/getSearchPresets.js");
// Utils
const _ = require('lodash')
const base64 = require("../util/base64.js")
const sas = require("../util/scoreAndSearch.js");
const oldToNewQuerySyntax = require("../util/oldToNewQuerySyntax.js")
const getRegions = require('../models/getRegions.js');
const { allTagsWithValues, getUniqueTags } = require("../models/getTags.js");
const { getClimateMinMax } = require("../util/getClimateMinMax.js");
module.exports = dbConn => {
router.get("/api/v1/search", searchHandler(dbConn));
router.get("/api/v1/search/presets", presetHandler(dbConn));

10
backend/routes/update.js
View File

@ -1,9 +1,13 @@
const router = require("express").Router();
// Models
const handleUpdateRegionNearby = require("../models/handleUpdateRegionNearby.js")
const handleUpdateRegionNearbyById = require("../models/handleUpdateRegionNearbyById.js")
const handleUpdateRegionNearbyImgUrl = require("../models/handleUpdateRegionNearbyImgUrl.js")
const handleUpdateRegionNearbyImgUrlById = require("../models/handleUpdateRegionNearbyImgUrlById.js")
const sqlstring = require("sqlstring")
// Utils
const sqlSanitzer = require("../util/sqlstring_sanitizer.js")
module.exports = dbConn => {
router.patch("/api/v1/update/regions/all/nearby", async (req, res) => {
@ -15,7 +19,7 @@ module.exports = dbConn => {
});
router.patch("/api/v1/update/regions/:id/nearby", async (req, res) => {
const id = sqlstring.escape(req.params.id);
const id = sqlSanitzer(req.params.id);
res.json(await handleUpdateRegionNearbyById(dbConn, id))
});
@ -24,7 +28,7 @@ module.exports = dbConn => {
});
router.patch("/api/v1/update/regions/:id/nearby/imgurl", async (req, res) => {
const id = sqlstring.escape(req.params.id);
const id = sqlSanitzer(req.params.id);
res.json(await handleUpdateRegionNearbyImgUrlById(dbConn, id))
});

9
backend/util/sqlstring_sanitizer.js Normal file
View File

@ -0,0 +1,9 @@
const sqlstring = require("sqlstring")
module.exports = (val) => {
if(!isNaN(val)) {
return val
} else {
return sqlstring.escape(val)
}
};