fix(admin): applied sql sanitizer

2022-06-01 22:50:27 +02:00 · 2022-06-01 22:50:27 +02:00 · 0019637a65
parent 9fb3c8a079
commit 0019637a65
2 changed files with 42 additions and 46 deletions
--- a/admin/src/admin/lib/nextcloud.py
+++ b/admin/src/admin/lib/nextcloud.py
@ -10,6 +10,7 @@ import traceback
 import urllib
 import requests
 from psycopg2 import sql
 # from ..lib.log import *
 from admin import app
@ -520,49 +521,45 @@ class Nextcloud:
            # 103 - failed to add the group
    def set_user_mail(self, data):
-        if not len(
+        query = """SELECT * FROM "oc_mail_accounts" WHERE "email" = '%s'"""
-            self.nextcloud_pg.select(
+        sql_query = sql.SQL(query.format(data["email"]))
-                """SELECT * FROM "oc_mail_accounts" WHERE "email" = '%s'"""
+        if not len(self.nextcloud_pg.select(sql_query)):
-                % (data["email"])
+            query = """INSERT INTO "oc_mail_accounts" ("user_id","name","email","inbound_host","inbound_port","inbound_ssl_mode","inbound_user","inbound_password","outbound_host","outbound_port","outbound_ssl_mode","outbound_user","outbound_password") VALUES 
            )
        ):
            self.nextcloud_pg.update(
                """INSERT INTO "oc_mail_accounts" ("user_id","name","email","inbound_host","inbound_port","inbound_ssl_mode","inbound_user","inbound_password","outbound_host","outbound_port","outbound_ssl_mode","outbound_user","outbound_password") VALUES 
                ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s');"""
-                % (
+            account = [
-                    data["user_id"],
+                data["user_id"],
-                    data["name"],
+                data["name"],
-                    data["email"],
+                data["email"],
-                    data["inbound_host"],
+                data["inbound_host"],
-                    data["inbound_port"],
+                data["inbound_port"],
-                    data["inbound_ssl_mode"],
+                data["inbound_ssl_mode"],
-                    data["inbound_user"],
+                data["inbound_user"],
-                    data["inbound_password"],
+                data["inbound_password"],
-                    data["outbound_host"],
+                data["outbound_host"],
-                    data["outbound_port"],
+                data["outbound_port"],
-                    data["outbound_ssl_mode"],
+                data["outbound_ssl_mode"],
-                    data["outbound_user"],
+                data["outbound_user"],
-                    data["outbound_password"],
+                data["outbound_password"],
-                )
+            ]
            )
        else:
-            self.nextcloud_pg.update(
+            query = """UPDATE "oc_mail_accounts" SET ("user_id","name","email","inbound_host","inbound_port","inbound_ssl_mode","inbound_user","inbound_password","outbound_host","outbound_port","outbound_ssl_mode","outbound_user","outbound_password") = 
                """UPDATE "oc_mail_accounts" SET ("user_id","name","email","inbound_host","inbound_port","inbound_ssl_mode","inbound_user","inbound_password","outbound_host","outbound_port","outbound_ssl_mode","outbound_user","outbound_password") = 
                ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s') WHERE email = '%s';"""
-                % (
+
-                    data["user_id"],
+            account = [
-                    data["name"],
+                data["user_id"],
-                    data["email"],
+                data["name"],
-                    data["inbound_host"],
+                data["email"],
-                    data["inbound_port"],
+                data["inbound_host"],
-                    data["inbound_ssl_mode"],
+                data["inbound_port"],
-                    data["inbound_user"],
+                data["inbound_ssl_mode"],
-                    data["inbound_password"],
+                data["inbound_user"],
-                    data["outbound_host"],
+                data["inbound_password"],
-                    data["outbound_port"],
+                data["outbound_host"],
-                    data["outbound_ssl_mode"],
+                data["outbound_port"],
-                    data["outbound_user"],
+                data["outbound_ssl_mode"],
-                    data["outbound_password"],
+                data["outbound_user"],
-                    data["email"],
+                data["outbound_password"],
-                )
+                data["email"],
-            )
+            ]
        sql_query = sql.SQL(query.format(",".join([str(acc) for acc in account])))
        self.nextcloud_pg.update(sql_query)
--- a/admin/src/start.py
+++ b/admin/src/start.py
@ -6,12 +6,10 @@ monkey_patch()
 import json
 from flask_login import login_required
 from admin import app
 from admin.auth.tokens import get_token_payload
 from admin.lib.api_exceptions import Error
 from flask import request
-from flask_login import current_user
+from flask_login import current_user, login_required
 from flask_socketio import (
    SocketIO,
    close_room,
@ -23,6 +21,7 @@ from flask_socketio import (
    send,
 )
 from admin import app
 app.socketio = SocketIO(app)