Skip to content

Commit

Permalink
Fix SQL injection in /api/system/meshsync/resources
Browse files Browse the repository at this point in the history 
Signed-off-by: Xin Huang <[email protected]>
  • Loading branch information
@gyohuangxin
gyohuangxin committed Feb 3, 2024
1 parent 28a35c4 commit d3cd06c
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions server/handlers/meshsync_handler.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,7 @@ func (h *Handler) GetMeshSyncResources(rw http.ResponseWriter, r *http.Request,
result = result.Offset(offset)
}

order = models.SanitizeOrderInput(order, []string{"created_at", "updated_at", "name"})
if order != "" {
if sort == "desc" {
result = result.Order(clause.OrderByColumn{Column: clause.Column{Name: order}, Desc: true})
Expand Down

0 comments on commit d3cd06c

Please sign in to comment.