fix for CWE-89 (#43407)

The sqlOrArgs unpacking seems to confuse CodeQL. Trying something simpler
2025-02-25 18:55:37 -06:00 · 2021-12-21 19:04:56 +01:00 · 2021-12-21 19:04:56 +01:00 · 93de61f690
commit 93de61f690
parent 6b0f5d464b
2 changed files with 46 additions and 15 deletions
--- a/pkg/services/sqlstore/annotation.go
+++ b/pkg/services/sqlstore/annotation.go
@ -237,32 +237,33 @@ func (r *SQLAnnotationRepo) Find(query *annotations.ItemQuery) ([]*annotations.I
 func (r *SQLAnnotationRepo) Delete(params *annotations.DeleteParams) error {
 	return inTransaction(func(sess *DBSession) error {
 		var (
-			sql         string
-			annoTagSQL  string
-			queryParams []interface{}
+			sql        string
+			annoTagSQL string
 		)

 		sqlog.Info("delete", "orgId", params.OrgId)
 		if params.Id != 0 {
 			annoTagSQL = "DELETE FROM annotation_tag WHERE annotation_id IN (SELECT id FROM annotation WHERE id = ? AND org_id = ?)"
 			sql = "DELETE FROM annotation WHERE id = ? AND org_id = ?"
-			queryParams = []interface{}{params.Id, params.OrgId}
+
+			if _, err := sess.Exec(annoTagSQL, params.Id, params.OrgId); err != nil {
+				return err
+			}
+
+			if _, err := sess.Exec(sql, params.Id, params.OrgId); err != nil {
+				return err
+			}
 		} else {
 			annoTagSQL = "DELETE FROM annotation_tag WHERE annotation_id IN (SELECT id FROM annotation WHERE dashboard_id = ? AND panel_id = ? AND org_id = ?)"
 			sql = "DELETE FROM annotation WHERE dashboard_id = ? AND panel_id = ? AND org_id = ?"
-			queryParams = []interface{}{params.DashboardId, params.PanelId, params.OrgId}
-		}

-		sqlOrArgs := append([]interface{}{annoTagSQL}, queryParams...)
+			if _, err := sess.Exec(annoTagSQL, params.DashboardId, params.PanelId, params.OrgId); err != nil {
+				return err
+			}

-		if _, err := sess.Exec(sqlOrArgs...); err != nil {
-			return err
-		}
-
-		sqlOrArgs = append([]interface{}{sql}, queryParams...)
-
-		if _, err := sess.Exec(sqlOrArgs...); err != nil {
-			return err
+			if _, err := sess.Exec(sql, params.DashboardId, params.PanelId, params.OrgId); err != nil {
+				return err
+			}
 		}

 		return nil
--- a/pkg/services/sqlstore/annotation_test.go
+++ b/pkg/services/sqlstore/annotation_test.go
@ -253,6 +253,36 @@ func TestAnnotations(t *testing.T) {
 			assert.Empty(t, items)
 		})

+		t.Run("Can delete annotation using dashboard id and panel id", func(t *testing.T) {
+			annotation3 := &annotations.Item{
+				OrgId:       1,
+				UserId:      1,
+				DashboardId: 3,
+				Text:        "toBeDeletedWithPanelId",
+				Type:        "alert",
+				Epoch:       11,
+				Tags:        []string{"test"},
+			}
+			err = repo.Save(annotation3)
+			require.NoError(t, err)
+
+			query := &annotations.ItemQuery{
+				OrgId:        1,
+				AnnotationId: annotation3.Id,
+			}
+			items, err := repo.Find(query)
+			require.NoError(t, err)
+
+			dashboardId := items[0].DashboardId
+			panelId := items[0].PanelId
+			err = repo.Delete(&annotations.DeleteParams{DashboardId: dashboardId, PanelId: panelId, OrgId: 1})
+			require.NoError(t, err)
+
+			items, err = repo.Find(query)
+			require.NoError(t, err)
+			assert.Empty(t, items)
+		})
+
 		t.Run("Should find tags by key", func(t *testing.T) {
 			result, err := repo.FindTags(&annotations.TagsQuery{
 				OrgID: 1,