no exploitable SQL injection vulnerabilities

This commit is contained in:
null 2026-05-28 03:43:50 -05:00
parent f1692193f6
commit d3f2a921bf
2 changed files with 14 additions and 2 deletions

View File

@ -34,7 +34,13 @@ function monthOffset(year, month, offset) {
return { year: y, month: m }; return { year: y, month: m };
} }
function fetchActiveBills(db, userId, orderBy = 'b.due_day ASC, b.name ASC') { const FETCH_BILLS_ORDER = {
due_day: 'b.due_day ASC, b.name ASC',
id: 'b.id ASC',
};
function fetchActiveBills(db, userId, orderKey = 'due_day') {
const orderBy = FETCH_BILLS_ORDER[orderKey] ?? FETCH_BILLS_ORDER.due_day;
return db.prepare(` return db.prepare(`
SELECT b.*, c.name AS category_name SELECT b.*, c.name AS category_name
FROM bills b FROM bills b
@ -334,7 +340,7 @@ function getUpcomingBills(userId, query = {}, now = new Date()) {
const todayStr = now.toISOString().slice(0, 10); const todayStr = now.toISOString().slice(0, 10);
const userSettings = getUserSettings(userId); const userSettings = getUserSettings(userId);
const rowOptions = { gracePeriodDays: userSettings.grace_period_days }; const rowOptions = { gracePeriodDays: userSettings.grace_period_days };
const bills = fetchActiveBills(db, userId, 'b.id ASC'); const bills = fetchActiveBills(db, userId, 'id');
const cutoff = new Date(now); const cutoff = new Date(now);
cutoff.setDate(cutoff.getDate() + days); cutoff.setDate(cutoff.getDate() + days);

View File

@ -58,7 +58,13 @@ function tableNames(db) {
return new Set(db.prepare("SELECT name FROM sqlite_master WHERE type='table'").all().map(r => r.name)); return new Set(db.prepare("SELECT name FROM sqlite_master WHERE type='table'").all().map(r => r.name));
} }
const IMPORT_TABLES = new Set([
'categories', 'bills', 'payments',
'monthly_bill_state', 'monthly_starting_amounts', 'notes',
]);
function tableColumns(db, table) { function tableColumns(db, table) {
if (!IMPORT_TABLES.has(table)) throw new Error(`Import: unknown table '${table}'`);
return new Set(db.prepare(`PRAGMA table_info(${table})`).all().map(c => c.name)); return new Set(db.prepare(`PRAGMA table_info(${table})`).all().map(c => c.name));
} }