no exploitable SQL injection vulnerabilities
This commit is contained in:
parent
f1692193f6
commit
d3f2a921bf
|
|
@ -34,7 +34,13 @@ function monthOffset(year, month, offset) {
|
||||||
return { year: y, month: m };
|
return { year: y, month: m };
|
||||||
}
|
}
|
||||||
|
|
||||||
function fetchActiveBills(db, userId, orderBy = 'b.due_day ASC, b.name ASC') {
|
const FETCH_BILLS_ORDER = {
|
||||||
|
due_day: 'b.due_day ASC, b.name ASC',
|
||||||
|
id: 'b.id ASC',
|
||||||
|
};
|
||||||
|
|
||||||
|
function fetchActiveBills(db, userId, orderKey = 'due_day') {
|
||||||
|
const orderBy = FETCH_BILLS_ORDER[orderKey] ?? FETCH_BILLS_ORDER.due_day;
|
||||||
return db.prepare(`
|
return db.prepare(`
|
||||||
SELECT b.*, c.name AS category_name
|
SELECT b.*, c.name AS category_name
|
||||||
FROM bills b
|
FROM bills b
|
||||||
|
|
@ -334,7 +340,7 @@ function getUpcomingBills(userId, query = {}, now = new Date()) {
|
||||||
const todayStr = now.toISOString().slice(0, 10);
|
const todayStr = now.toISOString().slice(0, 10);
|
||||||
const userSettings = getUserSettings(userId);
|
const userSettings = getUserSettings(userId);
|
||||||
const rowOptions = { gracePeriodDays: userSettings.grace_period_days };
|
const rowOptions = { gracePeriodDays: userSettings.grace_period_days };
|
||||||
const bills = fetchActiveBills(db, userId, 'b.id ASC');
|
const bills = fetchActiveBills(db, userId, 'id');
|
||||||
|
|
||||||
const cutoff = new Date(now);
|
const cutoff = new Date(now);
|
||||||
cutoff.setDate(cutoff.getDate() + days);
|
cutoff.setDate(cutoff.getDate() + days);
|
||||||
|
|
|
||||||
|
|
@ -58,7 +58,13 @@ function tableNames(db) {
|
||||||
return new Set(db.prepare("SELECT name FROM sqlite_master WHERE type='table'").all().map(r => r.name));
|
return new Set(db.prepare("SELECT name FROM sqlite_master WHERE type='table'").all().map(r => r.name));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
const IMPORT_TABLES = new Set([
|
||||||
|
'categories', 'bills', 'payments',
|
||||||
|
'monthly_bill_state', 'monthly_starting_amounts', 'notes',
|
||||||
|
]);
|
||||||
|
|
||||||
function tableColumns(db, table) {
|
function tableColumns(db, table) {
|
||||||
|
if (!IMPORT_TABLES.has(table)) throw new Error(`Import: unknown table '${table}'`);
|
||||||
return new Set(db.prepare(`PRAGMA table_info(${table})`).all().map(c => c.name));
|
return new Set(db.prepare(`PRAGMA table_info(${table})`).all().map(c => c.name));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue