[smartpl] Escape value fields (protect against SQL injections)

2024-12-28 08:05:56 -05:00 · 2022-01-12 17:17:02 +01:00 · 2022-01-12 17:17:02 +01:00 · 7b93336cab
commit 7b93336cab
parent 074ad56ca1
1 changed files with 24 additions and 0 deletions
--- a/src/parsers/smartpl_parser.y
+++ b/src/parsers/smartpl_parser.y
@ -184,6 +184,22 @@ int smartpl_lex_parse(struct smartpl_result *result, const char *input);
 #define INVERT_MASK 0x80000000
 }

+/* Dependencies, mocked or real */
+%code top {
+#ifndef DEBUG_PARSER_MOCK
+#include "db.h"
+#else
+static char * db_escape_string(const char *str)
+{
+  char *new = strdup(str);
+  char *ptr;
+  while ((ptr = strpbrk(new, "\\'")))
+   *ptr = 'X';
+  return new;
+}
+#endif
+}
+
 /* Definition of struct that will hold the parsing result */
 %code requires {
 struct result_part {
@ -221,6 +237,13 @@ enum sql_append_type {

 static void sql_from_ast(struct smartpl_result *, struct result_part *, struct ast *);

+static void sql_str_escape(char **value)
+{
+  char *old = *value;
+  *value = db_escape_string(old);
+  free(old);
+}
+
 static void sql_append(struct smartpl_result *result, struct result_part *part, const char *fmt, ...)
 {
  va_list ap;
@ -273,6 +296,7 @@ static void sql_append_recursive(struct smartpl_result *result, struct result_pa
    case SQL_APPEND_STR:
      assert(a->l == NULL);
      assert(a->r == NULL);
+      sql_str_escape((char **)&a->data);
      sql_append(result, part, "%s", (char *)a->data);
      break;
    case SQL_APPEND_INT: