CalvinBackup/phishingclub
1
0
Fork 0
mirror of https://github.com/phishingclub/phishingclub.git synced 2026-02-12 16:12:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix missing allow listing leading to bsqli

Browse Source 
Signed-off-by: Ronni Skansing <rskansing@gmail.com>
This commit is contained in:
Ronni Skansing
2026-02-08 02:23:04 +01:00
parent 0c9faec382
commit c7e666da9a
2 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
backend/repository/recipient.go
View File

@@ -3,6 +3,7 @@ package repository
import (
"context"
"fmt"
"slices"
"strconv"
"time"
@@ -383,6 +384,10 @@ func (r *Recipient) GetOrphaned(
// apply query args for sorting/pagination if provided
if options.QueryArgs != nil {
if options.QueryArgs.OrderBy != "" {
// validate orderBy against allowlist
if !slices.Contains(allowdRecipientColumns, options.QueryArgs.OrderBy) {
return result, fmt.Errorf("invalid order by column: %s", options.QueryArgs.OrderBy)
}
direction := "ASC"
if options.QueryArgs.Desc {
direction = "DESC"

5
backend/vo/queryParams.go
View File

@@ -60,12 +60,15 @@ func (q *QueryArgs) DefaultSortBy(column string) {
}
}
// RemapOrderBy remaps the order by column
// RemapOrderBy remaps the order by column using the provided mapping.
// if the column is not found in the mapping, it is cleared to prevent SQL injection.
func (q *QueryArgs) RemapOrderBy(m map[string]string) {
if q.OrderBy == "" {
return
}
if v, ok := m[q.OrderBy]; ok {
q.OrderBy = v
} else {
q.OrderBy = ""
}
}