no exploitable SQL injection vulnerabilities
This commit is contained in:
parent
f1692193f6
commit
d3f2a921bf
|
|
@ -34,7 +34,13 @@ function monthOffset(year, month, offset) {
|
|||
return { year: y, month: m };
|
||||
}
|
||||
|
||||
function fetchActiveBills(db, userId, orderBy = 'b.due_day ASC, b.name ASC') {
|
||||
const FETCH_BILLS_ORDER = {
|
||||
due_day: 'b.due_day ASC, b.name ASC',
|
||||
id: 'b.id ASC',
|
||||
};
|
||||
|
||||
function fetchActiveBills(db, userId, orderKey = 'due_day') {
|
||||
const orderBy = FETCH_BILLS_ORDER[orderKey] ?? FETCH_BILLS_ORDER.due_day;
|
||||
return db.prepare(`
|
||||
SELECT b.*, c.name AS category_name
|
||||
FROM bills b
|
||||
|
|
@ -334,7 +340,7 @@ function getUpcomingBills(userId, query = {}, now = new Date()) {
|
|||
const todayStr = now.toISOString().slice(0, 10);
|
||||
const userSettings = getUserSettings(userId);
|
||||
const rowOptions = { gracePeriodDays: userSettings.grace_period_days };
|
||||
const bills = fetchActiveBills(db, userId, 'b.id ASC');
|
||||
const bills = fetchActiveBills(db, userId, 'id');
|
||||
|
||||
const cutoff = new Date(now);
|
||||
cutoff.setDate(cutoff.getDate() + days);
|
||||
|
|
|
|||
|
|
@ -58,7 +58,13 @@ function tableNames(db) {
|
|||
return new Set(db.prepare("SELECT name FROM sqlite_master WHERE type='table'").all().map(r => r.name));
|
||||
}
|
||||
|
||||
const IMPORT_TABLES = new Set([
|
||||
'categories', 'bills', 'payments',
|
||||
'monthly_bill_state', 'monthly_starting_amounts', 'notes',
|
||||
]);
|
||||
|
||||
function tableColumns(db, table) {
|
||||
if (!IMPORT_TABLES.has(table)) throw new Error(`Import: unknown table '${table}'`);
|
||||
return new Set(db.prepare(`PRAGMA table_info(${table})`).all().map(c => c.name));
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue