search

rooteco / tweetscape

the supercharged twitter feed
https://prototype.tweetscape.co
GNU Affero General Public License v3.0
18 stars 2 forks source link

Escape SQL in redis helper #313

Open nicholaschiang opened 2 years ago

nicholaschiang commented 2 years ago

Imported from @nicholaschiang's original Linear issue TS-92.


    // TODO: Wrap the `uid` in some SQL injection avoidance mechanism as it's
    // very much possible that somebody smart and devious could:
    // a) find our cookie secret and encrypt their own (fake) session cookie;
    // b) set the session cookie `uid` to some malicious raw SQL;
    // c) have that SQL run here and mess up our production db.
    lists = await redis<List>(
      `
      select lists.* from lists
      left outer join list_followers on list_followers.list_id = lists.id
      where lists.owner_id = '${uid}' or list_followers.influencer_id = '${uid}'
      `
    );
nicholaschiang commented 2 years ago

This is still relevant as I'm now using pg-promise and I'm not sure if that's properly escaping user-inputted SQL params.