fix: validate action parameter and correct database health check logic

- Add whitelist of valid actions to prevent arbitrary action values
- Fix error handling to properly detect database failures

Previously, any action value was accepted without validation, which could lead to unexpected behavior. The health check also incorrectly set dbOK to true when queries succeeded, now correctly sets it to false when errors occur.
This commit is contained in:
db123-test
2026-05-11 12:19:47 +03:30
parent ef7abd386e
commit 7930f2ec99

View File

@@ -243,8 +243,15 @@ func parseLogFilter(r *http.Request) (*logFilter, error) {
Offset: 0, Offset: 0,
} }
validActions := map[string]bool{
"add_temp": true, "delete_temp": true,
"add_perm": true, "delete_perm": true, "expire_temp": true,
}
if v := r.URL.Query().Get("action"); v != "" { if v := r.URL.Query().Get("action"); v != "" {
f.Action = v if validActions[v] {
f.Action = v
}
} }
if v := r.URL.Query().Get("ip"); v != "" { if v := r.URL.Query().Get("ip"); v != "" {
f.IP = v f.IP = v
@@ -333,13 +340,13 @@ func statusHandler(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) { return func(w http.ResponseWriter, r *http.Request) {
var permCount int var permCount int
var tempCount int var tempCount int
dbOK := false dbOK := true
if err := db.QueryRow(`SELECT COUNT(*) FROM perm_whitelist`).Scan(&permCount); err == nil { if err := db.QueryRow(`SELECT COUNT(*) FROM perm_whitelist`).Scan(&permCount); err != nil {
dbOK = true dbOK = false
} }
if err := db.QueryRow(`SELECT COUNT(*) FROM temp_whitelist WHERE expires_at > ?`, time.Now().Format(time.RFC3339)).Scan(&tempCount); err == nil { if err := db.QueryRow(`SELECT COUNT(*) FROM temp_whitelist WHERE expires_at > ?`, time.Now().Format(time.RFC3339)).Scan(&tempCount); err != nil {
dbOK = true dbOK = false
} }
health := map[string]interface{}{ health := map[string]interface{}{