fix: validate action parameter and correct database health check logic

- Add whitelist of valid actions to prevent arbitrary action values
- Fix error handling to properly detect database failures

Previously, any action value was accepted without validation, which could lead to unexpected behavior. The health check also incorrectly set dbOK to true when queries succeeded, now correctly sets it to false when errors occur.
This commit is contained in:
db123-test
2026-05-11 12:19:47 +03:30
parent ef7abd386e
commit 7930f2ec99

View File

@@ -243,8 +243,15 @@ func parseLogFilter(r *http.Request) (*logFilter, error) {
Offset: 0,
}
validActions := map[string]bool{
"add_temp": true, "delete_temp": true,
"add_perm": true, "delete_perm": true, "expire_temp": true,
}
if v := r.URL.Query().Get("action"); v != "" {
f.Action = v
if validActions[v] {
f.Action = v
}
}
if v := r.URL.Query().Get("ip"); v != "" {
f.IP = v
@@ -333,13 +340,13 @@ func statusHandler(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
var permCount int
var tempCount int
dbOK := false
dbOK := true
if err := db.QueryRow(`SELECT COUNT(*) FROM perm_whitelist`).Scan(&permCount); err == nil {
dbOK = true
if err := db.QueryRow(`SELECT COUNT(*) FROM perm_whitelist`).Scan(&permCount); err != nil {
dbOK = false
}
if err := db.QueryRow(`SELECT COUNT(*) FROM temp_whitelist WHERE expires_at > ?`, time.Now().Format(time.RFC3339)).Scan(&tempCount); err == nil {
dbOK = true
if err := db.QueryRow(`SELECT COUNT(*) FROM temp_whitelist WHERE expires_at > ?`, time.Now().Format(time.RFC3339)).Scan(&tempCount); err != nil {
dbOK = false
}
health := map[string]interface{}{