fix: validate action parameter and correct database health check logic
- Add whitelist of valid actions to prevent arbitrary action values - Fix error handling to properly detect database failures Previously, any action value was accepted without validation, which could lead to unexpected behavior. The health check also incorrectly set dbOK to true when queries succeeded, now correctly sets it to false when errors occur.
This commit is contained in:
19
src/auth.go
19
src/auth.go
@@ -243,8 +243,15 @@ func parseLogFilter(r *http.Request) (*logFilter, error) {
|
||||
Offset: 0,
|
||||
}
|
||||
|
||||
validActions := map[string]bool{
|
||||
"add_temp": true, "delete_temp": true,
|
||||
"add_perm": true, "delete_perm": true, "expire_temp": true,
|
||||
}
|
||||
|
||||
if v := r.URL.Query().Get("action"); v != "" {
|
||||
f.Action = v
|
||||
if validActions[v] {
|
||||
f.Action = v
|
||||
}
|
||||
}
|
||||
if v := r.URL.Query().Get("ip"); v != "" {
|
||||
f.IP = v
|
||||
@@ -333,13 +340,13 @@ func statusHandler(db *sql.DB) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
var permCount int
|
||||
var tempCount int
|
||||
dbOK := false
|
||||
dbOK := true
|
||||
|
||||
if err := db.QueryRow(`SELECT COUNT(*) FROM perm_whitelist`).Scan(&permCount); err == nil {
|
||||
dbOK = true
|
||||
if err := db.QueryRow(`SELECT COUNT(*) FROM perm_whitelist`).Scan(&permCount); err != nil {
|
||||
dbOK = false
|
||||
}
|
||||
if err := db.QueryRow(`SELECT COUNT(*) FROM temp_whitelist WHERE expires_at > ?`, time.Now().Format(time.RFC3339)).Scan(&tempCount); err == nil {
|
||||
dbOK = true
|
||||
if err := db.QueryRow(`SELECT COUNT(*) FROM temp_whitelist WHERE expires_at > ?`, time.Now().Format(time.RFC3339)).Scan(&tempCount); err != nil {
|
||||
dbOK = false
|
||||
}
|
||||
|
||||
health := map[string]interface{}{
|
||||
|
||||
Reference in New Issue
Block a user