IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

fix for CWE-89 (#43407)

Browse Source 
The sqlOrArgs unpacking seems to confuse CodeQL. Trying something simpler
This commit is contained in:
Daniel Lee 2021-12-21 19:04:56 +01:00 committed by GitHub
parent 6b0f5d464b
commit 93de61f690
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 46 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
pkg/services/sqlstore/annotation.go
View File

@ -237,32 +237,33 @@ func (r *SQLAnnotationRepo) Find(query *annotations.ItemQuery) ([]*annotations.I
func (r *SQLAnnotationRepo) Delete(params *annotations.DeleteParams) error { func (r *SQLAnnotationRepo) Delete(params *annotations.DeleteParams) error {
return inTransaction(func(sess *DBSession) error { return inTransaction(func(sess *DBSession) error {
var ( var (
sql string sql string
annoTagSQL string annoTagSQL string
queryParams []interface{}
) )
sqlog.Info("delete", "orgId", params.OrgId) sqlog.Info("delete", "orgId", params.OrgId)
if params.Id != 0 { if params.Id != 0 {
annoTagSQL = "DELETE FROM annotation_tag WHERE annotation_id IN (SELECT id FROM annotation WHERE id = ? AND org_id = ?)" annoTagSQL = "DELETE FROM annotation_tag WHERE annotation_id IN (SELECT id FROM annotation WHERE id = ? AND org_id = ?)"
sql = "DELETE FROM annotation WHERE id = ? AND org_id = ?" sql = "DELETE FROM annotation WHERE id = ? AND org_id = ?"
queryParams = []interface{}{params.Id, params.OrgId}
if _, err := sess.Exec(annoTagSQL, params.Id, params.OrgId); err != nil {
return err
}
if _, err := sess.Exec(sql, params.Id, params.OrgId); err != nil {
return err
}
} else { } else {
annoTagSQL = "DELETE FROM annotation_tag WHERE annotation_id IN (SELECT id FROM annotation WHERE dashboard_id = ? AND panel_id = ? AND org_id = ?)" annoTagSQL = "DELETE FROM annotation_tag WHERE annotation_id IN (SELECT id FROM annotation WHERE dashboard_id = ? AND panel_id = ? AND org_id = ?)"
sql = "DELETE FROM annotation WHERE dashboard_id = ? AND panel_id = ? AND org_id = ?" sql = "DELETE FROM annotation WHERE dashboard_id = ? AND panel_id = ? AND org_id = ?"
queryParams = []interface{}{params.DashboardId, params.PanelId, params.OrgId}
}
sqlOrArgs := append([]interface{}{annoTagSQL}, queryParams...) if _, err := sess.Exec(annoTagSQL, params.DashboardId, params.PanelId, params.OrgId); err != nil {
return err
}
if _, err := sess.Exec(sqlOrArgs...); err != nil { if _, err := sess.Exec(sql, params.DashboardId, params.PanelId, params.OrgId); err != nil {
return err return err
} }
sqlOrArgs = append([]interface{}{sql}, queryParams...)
if _, err := sess.Exec(sqlOrArgs...); err != nil {
return err
} }
return nil return nil

30
pkg/services/sqlstore/annotation_test.go
View File

@ -253,6 +253,36 @@ func TestAnnotations(t *testing.T) {
assert.Empty(t, items) assert.Empty(t, items)
}) })
t.Run("Can delete annotation using dashboard id and panel id", func(t *testing.T) {
annotation3 := &annotations.Item{
OrgId: 1,
UserId: 1,
DashboardId: 3,
Text: "toBeDeletedWithPanelId",
Type: "alert",
Epoch: 11,
Tags: []string{"test"},
}
err = repo.Save(annotation3)
require.NoError(t, err)
query := &annotations.ItemQuery{
OrgId: 1,
AnnotationId: annotation3.Id,
}
items, err := repo.Find(query)
require.NoError(t, err)
dashboardId := items[0].DashboardId
panelId := items[0].PanelId
err = repo.Delete(&annotations.DeleteParams{DashboardId: dashboardId, PanelId: panelId, OrgId: 1})
require.NoError(t, err)
items, err = repo.Find(query)
require.NoError(t, err)
assert.Empty(t, items)
})
t.Run("Should find tags by key", func(t *testing.T) { t.Run("Should find tags by key", func(t *testing.T) {
result, err := repo.FindTags(&annotations.TagsQuery{ result, err := repo.FindTags(&annotations.TagsQuery{
OrgID: 1, OrgID: 1,