This is an automated email from the ASF dual-hosted git repository.
zky pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/incubator-devlake.git
The following commit(s) were added to refs/heads/main by this push:
new 99376a8eb fix: cwe89 sql injection (#8762)
99376a8eb is described below
commit 99376a8eb866f2b557dd3bc2ca26510ce241f065
Author: Klesh Wong <[email protected]>
AuthorDate: Thu Mar 12 21:00:52 2026 +0800
fix: cwe89 sql injection (#8762)
---
backend/server/services/pushapi.go | 20 ++++++++++++++++++++
env.example | 1 +
2 files changed, 21 insertions(+)
diff --git a/backend/server/services/pushapi.go
b/backend/server/services/pushapi.go
index deabe12b1..d99d4e906 100644
--- a/backend/server/services/pushapi.go
+++ b/backend/server/services/pushapi.go
@@ -18,12 +18,32 @@ limitations under the License.
package services
import (
+ "regexp"
+ "strings"
+
"github.com/apache/incubator-devlake/core/dal"
"github.com/apache/incubator-devlake/core/errors"
)
// InsertRow FIXME ...
func InsertRow(table string, rows []map[string]interface{}) (int64,
errors.Error) {
+ if !regexp.MustCompile(`^[a-zA-Z0-9_]+$`).MatchString(table) {
+ return 0, errors.BadInput.New("table name invalid")
+ }
+
+ if allowedTables := cfg.GetString("PUSH_API_ALLOWED_TABLES");
allowedTables != "" {
+ allow := false
+ for _, t := range strings.Split(allowedTables, ",") {
+ if strings.TrimSpace(t) == table {
+ allow = true
+ break
+ }
+ }
+ if !allow {
+ return 0, errors.Forbidden.New("table name is not in
the allowed list")
+ }
+ }
+
err := db.Create(rows, dal.From(table))
if err != nil {
return 0, err
diff --git a/env.example b/env.example
index 58c89de1a..19acb7c94 100755
--- a/env.example
+++ b/env.example
@@ -34,6 +34,7 @@ SKIP_SUBTASK_PROGRESS=false
PORT=8080
MODE=release
+# PUSH_API_ALLOWED_TABLES=table1,table2
NOTIFICATION_ENDPOINT=
NOTIFICATION_SECRET=
