Fixes for Snyk's dataflow analyzer (#244)

* switch to parameterized evaluation to avoid potential unsanitized injection * another switch to parameterized evaluation to avoid potential unsanitized injection
quarto-dev · Sep 16, 2024 · 7323f7e · 7323f7e
1 parent 39f110d
commit 7323f7e
Showing 1 changed file with 10 additions and 10 deletions.
diff --git a/packages/editor-server/src/core/zotero/local/source.ts b/packages/editor-server/src/core/zotero/local/source.ts
@@ -210,7 +210,7 @@ function getCreators(db: Database, spec: ZoteroCollectionSpec) : Map<string,Zote
 
   const creators = new Map<string,ZoteroCreator[]>(); 
 
-  for (const row of db.all(creatorsSQL(spec)) as Array<Record<string,string>>) {
+  for (const row of db.all(...creatorsSQL(spec)) as Array<Record<string,string>>) {
     // get key and ensure it exists
     const key = row["key"];
     if (!creators.has(key)) {
@@ -240,7 +240,7 @@ function getCollection(db: Database, spec: ZoteroCollectionSpec) : ZoteroCollect
     // query items and match up with creators
     const currentItem = new Map<string,string>();
     const items: ZoteroCSL[] = [];
-    for (const row of db.all(collectionSQL(spec)) as Array<Record<string,string>>) {
+    for (const row of db.all(...collectionSQL(spec)) as Array<Record<string,string>>) {
 
       const key = row["key"];
       const currentKey = currentItem.get("key") || "";
@@ -552,16 +552,16 @@ function getCollections(db: Database, librariesOnly = false) : ZoteroCollectionS
   });  
 }
 
-function creatorsSQL(spec: ZoteroCollectionSpec)
+function creatorsSQL(spec: ZoteroCollectionSpec): [string, Record<string, string>]
 {
   const itemsJoin = spec.parentKey.length > 0 
     ? `join collectionItems on items.itemID = collectionItems.itemID
        join collections on collectionItems.collectionID = collections.collectionID` 
     : "";
 
   const keyWhere = spec.parentKey.length > 0
-    ? `AND collections.key = '${spec.key}'`
-    : `AND libraries.libraryID = ${spec.key}`;
+    ? `AND collections.key = :k`
+    : `AND libraries.libraryID = :k`;
 
   const sql = `
     SELECT
@@ -590,19 +590,19 @@ function creatorsSQL(spec: ZoteroCollectionSpec)
       itemCreators.orderIndex
   `;
 
-  return sql;
+  return [sql, { ":k": spec.key }];
 }
 
-function collectionSQL(spec: ZoteroCollectionSpec) {
+function collectionSQL(spec: ZoteroCollectionSpec): [string, Record<string, string>] {
 
   const from = spec.parentKey.length > 0 
     ? `join collectionItems on items.itemID = collectionItems.itemID
        join collections on collectionItems.collectionID = collections.collectionID`
     : "";
 
   const where = spec.parentKey.length > 0
-    ? `AND collections.key = '${spec.key}'`
-    : `AND libraries.libraryID = ${spec.key}`;
+    ? `AND collections.key = :k'`
+    : `AND libraries.libraryID = :k`;
 
   const sql = `
     SELECT
@@ -684,7 +684,7 @@ function collectionSQL(spec: ZoteroCollectionSpec) {
     fieldOrder ASC 
   `;
 
-   return sql;
+   return [sql, { ":k": spec.key }];
 }