Commit a55be07e by Alexander Zobnin

dashboard history clean up: avoid potential SQL injections

parent 59d89e42
package sqlstore package sqlstore
import ( import (
"fmt"
"math" "math"
"strings" "strings"
...@@ -72,13 +71,12 @@ func DeleteExpiredVersions(cmd *m.DeleteExpiredVersionsCommand) error { ...@@ -72,13 +71,12 @@ func DeleteExpiredVersions(cmd *m.DeleteExpiredVersionsCommand) error {
// Don't clean up if user set versions_to_keep to 2147483647 (MaxInt32) // Don't clean up if user set versions_to_keep to 2147483647 (MaxInt32)
if versionsToKeep := setting.DashboardVersionsToKeep; versionsToKeep < math.MaxInt32 { if versionsToKeep := setting.DashboardVersionsToKeep; versionsToKeep < math.MaxInt32 {
// Get dashboard ids to clean up
affectedDashboardsQuery := fmt.Sprintf(`SELECT dashboard_id FROM dashboard_version
GROUP BY dashboard_id HAVING COUNT(dashboard_version.id)>%d`, versionsToKeep)
err := sess.Table("dashboard_version"). err := sess.Table("dashboard_version").
Select("dashboard_version.id, dashboard_version.version, dashboard_version.dashboard_id"). Select("dashboard_version.id, dashboard_version.version, dashboard_version.dashboard_id").
Where(fmt.Sprintf("dashboard_id IN (%s)", affectedDashboardsQuery)). Where(`dashboard_id IN (
SELECT dashboard_id FROM dashboard_version
GROUP BY dashboard_id HAVING COUNT(dashboard_version.id) > ?
)`, versionsToKeep).
Desc("dashboard_version.dashboard_id", "dashboard_version.version"). Desc("dashboard_version.dashboard_id", "dashboard_version.version").
Find(&versions) Find(&versions)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment