zias/stats
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

🙊 escape sql strings

Browse Source
This commit is contained in:
Carl-Gerhard Lindesvärd
2024-03-28 15:57:13 +01:00
parent 40b98f36a4
commit ecf68463c9
16 changed files with 104 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
apps/api/package.json
View File

@@ -24,6 +24,7 @@
"pino-pretty": "^10.3.1",
"ramda": "^0.29.1",
"sharp": "^0.33.2",
"sqlstring": "^2.3.3",
"ua-parser-js": "^1.0.37",
"url-metadata": "^4.1.0",
"uuid": "^9.0.1"
@@ -34,6 +35,7 @@
"@openpanel/sdk": "workspace:*",
"@openpanel/tsconfig": "workspace:*",
"@types/ramda": "^0.29.6",
"@types/sqlstring": "^2.3.2",
"@types/ua-parser-js": "^0.7.39",
"@types/uuid": "^9.0.8",
"@types/ws": "^8.5.10",

5
apps/api/src/controllers/event.controller.ts
View File

@@ -5,6 +5,7 @@ import { isUserAgentSet, parseUserAgent } from '@/utils/parseUserAgent';
import { isSameDomain, parsePath } from '@/utils/url';
import type { FastifyReply, FastifyRequest } from 'fastify';
import { omit } from 'ramda';
import { escape } from 'sqlstring';
import { v4 as uuid } from 'uuid';
import { generateDeviceId, getTime, toISOString } from '@openpanel/common';
@@ -103,7 +104,7 @@ export async function postEvent(
const [event] = await withTiming(
'Get last event (server-event)',
getEvents(
`SELECT * FROM events WHERE name = 'screen_view' AND profile_id = '${profileId}' AND project_id = '${projectId}' ORDER BY created_at DESC LIMIT 1`
`SELECT * FROM events WHERE name = 'screen_view' AND profile_id = ${escape(profileId)} AND project_id = ${escape(projectId)} ORDER BY created_at DESC LIMIT 1`
)
);
@@ -212,7 +213,7 @@ export async function postEvent(
'Get session start event',
Promise.all([
getEvents(
`SELECT * FROM events WHERE name = 'session_start' AND device_id = '${deviceId}' AND project_id = '${projectId}' ORDER BY created_at DESC LIMIT 1`
`SELECT * FROM events WHERE name = 'session_start' AND device_id = ${escape(deviceId)} AND project_id = ${escape(projectId)} ORDER BY created_at DESC LIMIT 1`
),
findJobByPrefix(eventsQueue, `event:${projectId}:${deviceId}:`),
])

3
apps/api/src/controllers/live.controller.ts
View File

@@ -1,4 +1,5 @@
import type { FastifyReply, FastifyRequest } from 'fastify';
import { escape } from 'sqlstring';
import type * as WebSocket from 'ws';
import { getSafeJson } from '@openpanel/common';
@@ -19,7 +20,7 @@ export async function test(
reply: FastifyReply
) {
const [event] = await getEvents(
`SELECT * FROM events WHERE project_id = '${req.params.projectId}' AND name = 'screen_view' LIMIT 1`
`SELECT * FROM events WHERE project_id = ${escape(req.params.projectId)} AND name = 'screen_view' LIMIT 1`
);
if (!event) {
return reply.status(404).send('No event found');