From 0019637a6537f0c0a1e01cec904aedd61a83d068 Mon Sep 17 00:00:00 2001
From: darta <josepmaria@isardvdi.com>
Date: Wed, 1 Jun 2022 22:50:27 +0200
Subject: [PATCH] fix(admin): applied sql sanitizer

---
 admin/src/admin/lib/nextcloud.py | 83 +++++++++++++++-----------------
 admin/src/start.py               |  5 +-
 2 files changed, 42 insertions(+), 46 deletions(-)

diff --git a/admin/src/admin/lib/nextcloud.py b/admin/src/admin/lib/nextcloud.py
index cfba60a..9b5524d 100644
--- a/admin/src/admin/lib/nextcloud.py
+++ b/admin/src/admin/lib/nextcloud.py
@@ -10,6 +10,7 @@ import traceback
 import urllib
 
 import requests
+from psycopg2 import sql
 
 # from ..lib.log import *
 from admin import app
@@ -520,49 +521,45 @@ class Nextcloud:
             # 103 - failed to add the group
 
     def set_user_mail(self, data):
-        if not len(
-            self.nextcloud_pg.select(
-                """SELECT * FROM "oc_mail_accounts" WHERE "email" = '%s'"""
-                % (data["email"])
-            )
-        ):
-            self.nextcloud_pg.update(
-                """INSERT INTO "oc_mail_accounts" ("user_id","name","email","inbound_host","inbound_port","inbound_ssl_mode","inbound_user","inbound_password","outbound_host","outbound_port","outbound_ssl_mode","outbound_user","outbound_password") VALUES 
+        query = """SELECT * FROM "oc_mail_accounts" WHERE "email" = '%s'"""
+        sql_query = sql.SQL(query.format(data["email"]))
+        if not len(self.nextcloud_pg.select(sql_query)):
+            query = """INSERT INTO "oc_mail_accounts" ("user_id","name","email","inbound_host","inbound_port","inbound_ssl_mode","inbound_user","inbound_password","outbound_host","outbound_port","outbound_ssl_mode","outbound_user","outbound_password") VALUES 
                 ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s');"""
-                % (
-                    data["user_id"],
-                    data["name"],
-                    data["email"],
-                    data["inbound_host"],
-                    data["inbound_port"],
-                    data["inbound_ssl_mode"],
-                    data["inbound_user"],
-                    data["inbound_password"],
-                    data["outbound_host"],
-                    data["outbound_port"],
-                    data["outbound_ssl_mode"],
-                    data["outbound_user"],
-                    data["outbound_password"],
-                )
-            )
+            account = [
+                data["user_id"],
+                data["name"],
+                data["email"],
+                data["inbound_host"],
+                data["inbound_port"],
+                data["inbound_ssl_mode"],
+                data["inbound_user"],
+                data["inbound_password"],
+                data["outbound_host"],
+                data["outbound_port"],
+                data["outbound_ssl_mode"],
+                data["outbound_user"],
+                data["outbound_password"],
+            ]
         else:
-            self.nextcloud_pg.update(
-                """UPDATE "oc_mail_accounts" SET ("user_id","name","email","inbound_host","inbound_port","inbound_ssl_mode","inbound_user","inbound_password","outbound_host","outbound_port","outbound_ssl_mode","outbound_user","outbound_password") = 
+            query = """UPDATE "oc_mail_accounts" SET ("user_id","name","email","inbound_host","inbound_port","inbound_ssl_mode","inbound_user","inbound_password","outbound_host","outbound_port","outbound_ssl_mode","outbound_user","outbound_password") = 
                 ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s') WHERE email = '%s';"""
-                % (
-                    data["user_id"],
-                    data["name"],
-                    data["email"],
-                    data["inbound_host"],
-                    data["inbound_port"],
-                    data["inbound_ssl_mode"],
-                    data["inbound_user"],
-                    data["inbound_password"],
-                    data["outbound_host"],
-                    data["outbound_port"],
-                    data["outbound_ssl_mode"],
-                    data["outbound_user"],
-                    data["outbound_password"],
-                    data["email"],
-                )
-            )
+
+            account = [
+                data["user_id"],
+                data["name"],
+                data["email"],
+                data["inbound_host"],
+                data["inbound_port"],
+                data["inbound_ssl_mode"],
+                data["inbound_user"],
+                data["inbound_password"],
+                data["outbound_host"],
+                data["outbound_port"],
+                data["outbound_ssl_mode"],
+                data["outbound_user"],
+                data["outbound_password"],
+                data["email"],
+            ]
+        sql_query = sql.SQL(query.format(",".join([str(acc) for acc in account])))
+        self.nextcloud_pg.update(sql_query)
diff --git a/admin/src/start.py b/admin/src/start.py
index cf1a2bc..d778b97 100644
--- a/admin/src/start.py
+++ b/admin/src/start.py
@@ -6,12 +6,10 @@ monkey_patch()
 
 import json
 
-from flask_login import login_required
-from admin import app
 from admin.auth.tokens import get_token_payload
 from admin.lib.api_exceptions import Error
 from flask import request
-from flask_login import current_user
+from flask_login import current_user, login_required
 from flask_socketio import (
     SocketIO,
     close_room,
@@ -23,6 +21,7 @@ from flask_socketio import (
     send,
 )
 
+from admin import app
 
 app.socketio = SocketIO(app)