Headline
CVE-2022-1883: fix(db): possible sql injection on /search endpoint · camptocamp/terraboard@2a5dbaa
SQL Injection in GitHub repository camptocamp/terraboard prior to 2.2.0.
@@ -370,11 +370,13 @@ func (db *Database) SearchAttribute(query url.Values) (results []types.SearchRes
}
if v := query.Get(“tf_version”); string(v) != “” {
where = append(where, fmt.Sprintf("states.tf_version LIKE '%s’", fmt.Sprintf("%%%s%%", v)))
where = append(where, “states.tf_version LIKE ?”)
params = append(params, fmt.Sprintf("%%%s%%", v))
}
if v := query.Get(“lineage_value”); string(v) != “” {
where = append(where, fmt.Sprintf("lineages.value LIKE '%s’", fmt.Sprintf("%%%s%%", v)))
where = append(where, “lineages.value LIKE ?”)
params = append(params, fmt.Sprintf("%%%s%%", v))
}
if len(where) > 0 {