Skip to content
GitLab
Verified Commit 43bdd02b authored by Vasili Novikov's avatar Vasili Novikov
Browse files

disallow using invalid column names

parent 7e700e19
Hide whitespace changes
Inline Side-by-side
Showing
with 167 additions and 7 deletions
+167 -7
res/migrations/V2__edges_order_label.sql
+ 1
- 1
View file @ 43bdd02b
ALTER TABLE edges ADD label TEXT;
ALTER TABLE edges ADD order INTEGER;
ALTER TABLE edges ADD sequence INTEGER;
src/database_init.rs
+ 6
- 0
View file @ 43bdd02b
use crate::sql_converters::validate_field_name;
use lazy_static::lazy_static;
use log::info;
use r2d2::Pool;
......@@ -98,6 +99,11 @@ fn get_column_info(
let columns = parsed_schema.types.iter().flat_map(|t| &t.columns);
let columns_grouped = group_by(columns, |c| c.name.to_lowercase());
for (column_name, column_group) in columns_grouped {
assert!(
validate_field_name(&column_name).is_ok(),
"Failed to add invalid column name {}",
column_name
);
if MANDATORY_ITEMS_FIELDS.contains(&column_name.as_str()) {
continue;
}
......
src/sql_converters.rs
+ 160
- 6
View file @ 43bdd02b
......@@ -7,6 +7,7 @@ use rusqlite::Rows;
use rusqlite::ToSql;
use serde_json::Map;
use serde_json::Value;
use std::collections::HashSet;
use warp::http::status::StatusCode;
/// Convert an SQLite result set into array of JSON objects
......@@ -71,11 +72,6 @@ pub fn borrow_sql_params<'a>(
.collect()
}
// pub fn datetime_to_sqlite<'a>(dt: DateTime<Utc>) -> ToSqlOutput<'a> {
// let milliseconds = dt.timestamp_millis();
// ToSqlOutput::Owned(rusqlite::types::Value::from(milliseconds))
// }
pub fn json_value_to_sqlite_parameter(json: &Value) -> ToSqlOutput<'_> {
match json {
Value::Null => ToSqlOutput::Borrowed(ValueRef::Null),
......@@ -101,7 +97,7 @@ pub fn validate_field_name(field: &str) -> crate::error::Result<()> {
lazy_static! {
static ref REGEXP: Regex = Regex::new(r"^[a-zA-Z]{1,18}$").expect("Cannot create regex");
}
if REGEXP.is_match(field) {
if REGEXP.is_match(field) && !BLACKLIST_COLUMN_NAMES.contains(field) {
Ok(())
} else {
Err(crate::error::Error {
......@@ -110,3 +106,161 @@ pub fn validate_field_name(field: &str) -> crate::error::Result<()> {
})
}
}
// Taken from the official documentation https://www.sqlite.org/lang_keywords.html
const BLACKLIST_COLUMN_NAMES_ARRAY: &[&str] = &[
"ABORT",
"ACTION",
"ADD",
"AFTER",
"ALL",
"ALTER",
"ALWAYS",
"ANALYZE",
"AND",
"AS",
"ASC",
"ATTACH",
"AUTOINCREMENT",
"BEFORE",
"BEGIN",
"BETWEEN",
"BY",
"CASCADE",
"CASE",
"CAST",
"CHECK",
"COLLATE",
"COLUMN",
"COMMIT",
"CONFLICT",
"CONSTRAINT",
"CREATE",
"CROSS",
"CURRENT",
"CURRENT_DATE",
"CURRENT_TIME",
"CURRENT_TIMESTAMP",
"DATABASE",
"DEFAULT",
"DEFERRABLE",
"DEFERRED",
"DELETE",
"DESC",
"DETACH",
"DISTINCT",
"DO",
"DROP",
"EACH",
"ELSE",
"END",
"ESCAPE",
"EXCEPT",
"EXCLUDE",
"EXCLUSIVE",
"EXISTS",
"EXPLAIN",
"FAIL",
"FILTER",
"FIRST",
"FOLLOWING",
"FOR",
"FOREIGN",
"FROM",
"FULL",
"GENERATED",
"GLOB",
"GROUP",
"GROUPS",
"HAVING",
"IF",
"IGNORE",
"IMMEDIATE",
"IN",
"INDEX",
"INDEXED",
"INITIALLY",
"INNER",
"INSERT",
"INSTEAD",
"INTERSECT",
"INTO",
"IS",
"ISNULL",
"JOIN",
"KEY",
"LAST",
"LEFT",
"LIKE",
"LIMIT",
"MATCH",
"NATURAL",
"NO",
"NOT",
"NOTHING",
"NOTNULL",
"NULL",
"NULLS",
"OF",
"OFFSET",
"ON",
"OR",
"ORDER",
"OTHERS",
"OUTER",
"OVER",
"PARTITION",
"PLAN",
"PRAGMA",
"PRECEDING",
"PRIMARY",
"QUERY",
"RAISE",
"RANGE",
"RECURSIVE",
"REFERENCES",
"REGEXP",
"REINDEX",
"RELEASE",
"RENAME",
"REPLACE",
"RESTRICT",
"RIGHT",
"ROLLBACK",
"ROW",
"ROWS",
"SAVEPOINT",
"SELECT",
"SET",
"TABLE",
"TEMP",
"TEMPORARY",
"THEN",
"TIES",
"TO",
"TRANSACTION",
"TRIGGER",
"UNBOUNDED",
"UNION",
"UNIQUE",
"UPDATE",
"USING",
"VACUUM",
"VALUES",
"VIEW",
"VIRTUAL",
"WHEN",
"WHERE",
"WINDOW",
"WITH",
"WITHOUT",
];
lazy_static! {
pub static ref BLACKLIST_COLUMN_NAMES: HashSet<String> = {
BLACKLIST_COLUMN_NAMES_ARRAY
.iter()
.map(|w| w.to_string())
.collect()
};
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment