From 81c17a7e2529c59efc4e74c5b32c1fb71fb12fa2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Emir=20Beganovi=C4=87?= Date: Wed, 25 Sep 2019 13:22:43 +0200 Subject: [PATCH] Revert "Fix #2517 : Check for incomplete parentheses to prevent SQL injection." (#2674) This reverts commit e3cc5ea4d403078a370e299629da56cd011b6583. --- query_test.go | 17 ----------------- scope.go | 21 --------------------- 2 files changed, 38 deletions(-) diff --git a/query_test.go b/query_test.go index 2b7e0dff..15bf8b3c 100644 --- a/query_test.go +++ b/query_test.go @@ -133,23 +133,6 @@ func TestStringPrimaryKeyForNumericValueStartingWithZero(t *testing.T) { t.Errorf("Fetch a record from with a string primary key for a numeric value starting with zero should work, but failed, zip code is %v", address.ZipCode) } } -func TestStringAgainstIncompleteParentheses(t *testing.T) { - type AddressByZipCode struct { - ZipCode string `gorm:"primary_key"` - Address string - } - - DB.AutoMigrate(&AddressByZipCode{}) - DB.Create(&AddressByZipCode{ZipCode: "00502", Address: "Holtsville"}) - - var address AddressByZipCode - var addresses []AddressByZipCode - _ = DB.First(&address, "address_by_zip_codes=00502)) UNION ALL SELECT NULL,version(),current_database(),NULL,NULL,NULL,NULL,NULL--").Find(&addresses).GetErrors() - if len(addresses) > 0 { - t.Errorf("Fetch a record from with a string that has incomplete parentheses should be fail, zip code is %v", address.ZipCode) - } - -} func TestFindAsSliceOfPointers(t *testing.T) { DB.Save(&User{Name: "user"}) diff --git a/scope.go b/scope.go index 541fe522..c962c165 100644 --- a/scope.go +++ b/scope.go @@ -277,23 +277,6 @@ func (scope *Scope) AddToVars(value interface{}) string { return scope.Dialect().BindVar(len(scope.SQLVars)) } -// IsCompleteParentheses check if the string has complete parentheses to prevent SQL injection -func (scope *Scope) IsCompleteParentheses(value string) bool { - count := 0 - for i, _ := range value { - if value[i] == 40 { // ( - count++ - } else if value[i] == 41 { // ) - count-- - } - if count < 0 { - break - } - i++ - } - return count == 0 -} - // SelectAttrs return selected attributes func (scope *Scope) SelectAttrs() []string { if scope.selectAttrs == nil { @@ -573,10 +556,6 @@ func (scope *Scope) buildCondition(clause map[string]interface{}, include bool) } if value != "" { - if !scope.IsCompleteParentheses(value) { - scope.Err(fmt.Errorf("incomplete parentheses found: %v", value)) - return - } if !include { if comparisonRegexp.MatchString(value) { str = fmt.Sprintf("NOT (%v)", value)