revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-02-22 11:39:03 +01:00
Code Issues Releases Wiki Activity

Make SELECT construction in PolicyAwareQuery safer

Browse source 
Summary: Depends on D19784. Ref T13217. Reduce uses of unsafe `%Q` in SELECT construction.

Test Plan: This reduces the number of safety warnings when loading Phabricator home from ~900 to ~800.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T13217

Differential Revision: https://secure.phabricator.com/D19785
This commit is contained in:
epriestley 2018-11-07 02:38:09 -08:00
parent e26c4bddab
commit 64b52b9952
3 changed files with 10 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/applications/repository/query/PhabricatorRepositoryQuery.php
View file

@ -491,10 +491,10 @@ final class PhabricatorRepositoryQuery
protected function buildSelectClauseParts(AphrontDatabaseConnection $conn) { protected function buildSelectClauseParts(AphrontDatabaseConnection $conn) {
$parts = parent::buildSelectClauseParts($conn); $parts = parent::buildSelectClauseParts($conn);
$parts[] = 'r.*'; $parts[] = qsprintf($conn, 'r.*');
if ($this->shouldJoinSummaryTable()) { if ($this->shouldJoinSummaryTable()) {
$parts[] = 's.*'; $parts[] = qsprintf($conn, 's.*');
} }
return $parts; return $parts;

21
src/infrastructure/query/PhabricatorQuery.php
View file

@ -41,25 +41,16 @@ abstract class PhabricatorQuery extends Phobject {
/** /**
* @task format * @task format
*/ */
protected function formatSelectClause(array $parts) { protected function formatSelectClause(
AphrontDatabaseConnection $conn,
array $parts) {
$parts = $this->flattenSubclause($parts); $parts = $this->flattenSubclause($parts);
if (!$parts) { if (!$parts) {
throw new Exception(pht('Can not build empty select clause!')); throw new Exception(pht('Can not build empty SELECT clause!'));
} }
return 'SELECT '.$this->formatSelectSubclause($parts); return qsprintf($conn, 'SELECT %LQ', $parts);
}
/**
* @task format
*/
protected function formatSelectSubclause(array $parts) {
$parts = $this->flattenSubclause($parts);
if (!$parts) {
return null;
}
return implode(', ', $parts);
} }

4
src/infrastructure/query/policy/PhabricatorCursorPagedPolicyAwareQuery.php
View file

@ -277,7 +277,7 @@ abstract class PhabricatorCursorPagedPolicyAwareQuery
*/ */
protected function buildSelectClause(AphrontDatabaseConnection $conn) { protected function buildSelectClause(AphrontDatabaseConnection $conn) {
$parts = $this->buildSelectClauseParts($conn); $parts = $this->buildSelectClauseParts($conn);
return $this->formatSelectClause($parts); return $this->formatSelectClause($conn, $parts);
} }
@ -291,7 +291,7 @@ abstract class PhabricatorCursorPagedPolicyAwareQuery
if ($alias) { if ($alias) {
$select[] = qsprintf($conn, '%T.*', $alias); $select[] = qsprintf($conn, '%T.*', $alias);
} else { } else {
$select[] = '*'; $select[] = qsprintf($conn, '*');
} }
$select[] = $this->buildEdgeLogicSelectClause($conn); $select[] = $this->buildEdgeLogicSelectClause($conn);