gromov/casdoor
1
0
Fork 0
forked from casdoor/casdoor
Code Pull Requests Actions Packages Releases Activity

feat: improve filter check

Browse Source
This commit is contained in:
Yang Luo
2026-04-06 12:21:24 +08:00
parent 1637ca1dfb
commit bac824cb4f
4 changed files with 30 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
object/group.go
View File

@@ -318,10 +318,12 @@ func GetGroupUserCount(groupId string, field, value string) (int64, error) {
return int64(len(names)), nil
} else {
tableNamePrefix := conf.GetConfigString("tableNamePrefix")
return ormer.Engine.Table(tableNamePrefix+"user").
Where("owner = ?", owner).In("name", names).
And(fmt.Sprintf("user.%s like ?", util.CamelToSnakeCase(field)), "%"+value+"%").
Count()
session := ormer.Engine.Table(tableNamePrefix+"user").
Where("owner = ?", owner).In("name", names)
if util.FilterField(field) {
session = session.And(fmt.Sprintf("user.%s like ?", util.CamelToSnakeCase(field)), "%"+value+"%")
}
return session.Count()
}
}
@@ -345,7 +347,7 @@ func GetPaginationGroupUsers(groupId string, offset, limit int, field, value, so
session.Limit(limit, offset)
}
if field != "" && value != "" {
if field != "" && value != "" && util.FilterField(field) {
session = session.And(fmt.Sprintf("%s.%s like ?", prefixedUserTable, util.CamelToSnakeCase(field)), "%"+value+"%")
}

5
object/syncer_database.go
View File

@@ -21,6 +21,7 @@ import (
"fmt"
"strings"
"github.com/casdoor/casdoor/util"
"github.com/go-sql-driver/mysql"
"golang.org/x/crypto/ssh"
)
@@ -122,6 +123,10 @@ func (p *DatabaseSyncerProvider) AddUser(user *OriginalUser) (bool, error) {
// UpdateUser updates an existing user in the database
func (p *DatabaseSyncerProvider) UpdateUser(user *OriginalUser) (bool, error) {
key := p.Syncer.getTargetTablePrimaryKey()
if !util.FilterSQLIdentifier(key) {
return false, fmt.Errorf("object.UpdateUser: invalid primary key column name: %s", key)
}
m := p.Syncer.getMapFromOriginalUser(user)
pkValue := m[key]
delete(m, key)

4
object/user_util.go
View File

@@ -37,6 +37,10 @@ func GetUserByField(organizationName string, field string, value string) (*User,
return nil, nil
}
if !util.FilterSQLIdentifier(field) {
return nil, nil
}
user := User{Owner: organizationName}
existed, err := ormer.Engine.Where(fmt.Sprintf("%s=?", strings.ToLower(field)), value).Get(&user)
if err != nil {

19
util/validation.go
View File

@@ -25,17 +25,19 @@ import (
)
var (
rePhone *regexp.Regexp
ReWhiteSpace *regexp.Regexp
ReFieldWhiteList *regexp.Regexp
ReUserName *regexp.Regexp
ReUserNameWithEmail *regexp.Regexp
rePhone *regexp.Regexp
ReWhiteSpace *regexp.Regexp
ReFieldWhiteList *regexp.Regexp
ReFieldWhiteListIdentifier *regexp.Regexp
ReUserName *regexp.Regexp
ReUserNameWithEmail *regexp.Regexp
)
func init() {
rePhone, _ = regexp.Compile(`(\d{3})\d*(\d{4})`)
ReWhiteSpace, _ = regexp.Compile(`\s`)
ReFieldWhiteList, _ = regexp.Compile(`^[A-Za-z0-9]+$`)
ReFieldWhiteListIdentifier, _ = regexp.Compile(`^[A-Za-z][A-Za-z0-9_]*$`)
ReUserName, _ = regexp.Compile("^[a-zA-Z0-9]+([-._][a-zA-Z0-9]+)*$")
ReUserNameWithEmail, _ = regexp.Compile(`^([a-zA-Z0-9]+([-._][a-zA-Z0-9]+)*)|([a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,})$`) // Add support for email formats
}
@@ -104,6 +106,13 @@ func FilterField(field string) bool {
return ReFieldWhiteList.MatchString(field)
}
// FilterSQLIdentifier validates that field is a safe SQL column identifier.
// It allows letters, digits, and underscores (e.g. "id_card", "created_time"),
// and requires the name to start with a letter to block numeric/special-char attacks.
func FilterSQLIdentifier(field string) bool {
return ReFieldWhiteListIdentifier.MatchString(field)
}
func IsValidOrigin(origin string) (bool, error) {
urlObj, err := url.Parse(origin)
if err != nil {