master

分支 (9)

标签 (52)

管理

管理

master

dependabot/go_modules/gorm.io/datatypes-1.0.3

fix/updates

feature/generate

dev

wsy

idersec

doc

lzq

v0.1.17

v0.1.17-rc.2

v0.1.17-rc.1

v0.1.16

v0.1.15

v0.1.14

v0.1.13

v0.1.13-alpha

v0.1.12

v0.1.11

v0.1.10

v0.1.9.1

v0.1.9

v0.1.9-alpha

v0.1.8

v0.1.7

v0.1.7-alpha

v0.1.6

v0.1.5

v0.1.5-alpha

gen
/
sec_check.go

package gen

import (
	"fmt"

	"gorm.io/gorm/clause"
	"gorm.io/hints"
)

func checkConds(conds []clause.Expression) error {
	for _, cond := range conds {
		if err := checkClause(cond); err != nil {
			return err
		}
	}
	return nil
}

var banClauses = map[string]bool{
	"INSERT": true,
	"VALUES": true,
	// "ON CONFLICT": true,
	"SELECT":   true,
	"FROM":     true,
	"WHERE":    true,
	"GROUP BY": true,
	"ORDER BY": true,
	"LIMIT":    true,
	"FOR":      true,
	"UPDATE":   true,
	"SET":      true,
	"DELETE":   true,
}

func checkClause(cond clause.Expression) error {
	switch cond := cond.(type) {
	case hints.Hints, hints.IndexHint:
		return nil
	case clause.OnConflict:
		return checkOnConflict(cond)
	case clause.Interface:
		if banClauses[cond.Name()] {
			return fmt.Errorf("clause %s is banned", cond.Name())
		}
		return nil
	}
	return fmt.Errorf("unknown clause %v", cond)
}

func checkOnConflict(cond clause.OnConflict) error {
	for _, item := range cond.DoUpdates {
		switch item.Value.(type) {
		case clause.Expr, *clause.Expr:
			return fmt.Errorf("OnConflict clause assignment with gorm.Expr is banned for security reasons for now")
		}
	}
	return nil
}