From 2bd77e3bf93cf1d4d5e0afb101b4c1b0b3ba4703 Mon Sep 17 00:00:00 2001 From: Doriel Rivalet <100863878+DorielRivalet@users.noreply.github.com> Date: Sun, 30 Apr 2023 08:40:24 -0300 Subject: [PATCH] fix(sqlite): security hotspots --- .../Class/DataAccessLayer/DatabaseManager.cs | 24 ++++++++++++------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/MHFZ_Overlay/Core/Class/DataAccessLayer/DatabaseManager.cs b/MHFZ_Overlay/Core/Class/DataAccessLayer/DatabaseManager.cs index 7e2d63ca..5044452f 100644 --- a/MHFZ_Overlay/Core/Class/DataAccessLayer/DatabaseManager.cs +++ b/MHFZ_Overlay/Core/Class/DataAccessLayer/DatabaseManager.cs @@ -21,6 +21,7 @@ using System.Threading; using System.Windows; using System.Windows.Controls; +using System.Windows.Documents; using System.Windows.Media.Animation; using System.Windows.Media.Imaging; using Formatting = Newtonsoft.Json.Formatting; @@ -2619,7 +2620,9 @@ private Dictionary<string, Dictionary<string, object>> CreateReferenceSchemaJSON // Set the table name using (var cmd2 = conn.CreateCommand()) { - cmd2.CommandText = $"SELECT tbl_name FROM sqlite_master WHERE name='{objectName}'"; + cmd2.CommandText = "SELECT tbl_name FROM sqlite_master WHERE name=@name"; + cmd2.Parameters.AddWithValue("@name", objectName); + var tableName = cmd2.ExecuteScalar().ToString(); // Initialize the schema entry for the table if it doesn't exist @@ -2640,7 +2643,9 @@ private Dictionary<string, Dictionary<string, object>> CreateReferenceSchemaJSON // Set the table name using (var cmd3 = conn.CreateCommand()) { - cmd3.CommandText = $"SELECT tbl_name FROM sqlite_master WHERE name='{objectName}'"; + cmd3.CommandText = "SELECT tbl_name FROM sqlite_master WHERE name=@name"; + cmd3.Parameters.AddWithValue("@name", objectName); + var tableName = cmd3.ExecuteScalar().ToString(); // Initialize the schema entry for the table if it doesn't exist @@ -6714,7 +6719,7 @@ GROUP BY lock (dataLoader.model.weaponUsageSync) { // Use the weaponTypeID, styleID, and runCount values to populate your - // livechart graph + // LiveChart graph // use a switch statement or a lookup table to convert the // weaponTypeID and styleID to their corresponding string names @@ -8611,9 +8616,10 @@ FROM ActiveSkills /// <returns></returns> private static long GetMaxValueWithWhere(string field, string table, SQLiteConnection conn, string whereField, long whereValue) { - string query = $"SELECT MAX({field}) FROM {table} WHERE {whereField} = {whereValue}"; + string query = $"SELECT MAX({field}) FROM {table} WHERE {whereField} = @whereValue"; using (var command = new SQLiteCommand(query, conn)) { + command.Parameters.AddWithValue("@whereValue", whereValue); return (long)command.ExecuteScalar(); } } @@ -8629,9 +8635,10 @@ private static long GetMaxValueWithWhere(string field, string table, SQLiteConne /// <returns></returns> private static long GetMinValueWithWhere(string field, string table, SQLiteConnection conn, string whereField, long whereValue) { - string query = $"SELECT MIN({field}) FROM {table} WHERE {whereField} = {whereValue}"; + string query = $"SELECT MIN({field}) FROM {table} WHERE {whereField} = @whereValue"; using (var command = new SQLiteCommand(query, conn)) { + command.Parameters.AddWithValue("@whereValue", whereValue); return (long)command.ExecuteScalar(); } } @@ -8647,9 +8654,10 @@ private static long GetMinValueWithWhere(string field, string table, SQLiteConne /// <returns></returns> private static double GetAverageValueWithWhere(string field, string table, SQLiteConnection conn, string whereField, long whereValue) { - string query = $"SELECT AVG({field}) FROM {table} WHERE {whereField} = {whereValue}"; + string query = $"SELECT AVG({field}) FROM {table} WHERE {whereField} = @whereValue"; using (var command = new SQLiteCommand(query, conn)) { + command.Parameters.AddWithValue("@whereValue", whereValue); return (double)command.ExecuteScalar(); } } @@ -8666,9 +8674,10 @@ private static double GetAverageValueWithWhere(string field, string table, SQLit private static double GetMedianValueWithWhere(string field, string table, SQLiteConnection conn, string whereField, long whereValue) { // TODO: not sure if correct - string query = $"SELECT AVG({field}) FROM (SELECT {field}, ROW_NUMBER() OVER (ORDER BY {field}) AS RowNum, COUNT(*) OVER() AS TotalRows FROM {table} WHERE {whereField} = {whereValue}) temp WHERE RowNum BETWEEN (TotalRows/2) + 1 AND (TotalRows/2) + 2;"; + string query = $"SELECT AVG({field}) FROM (SELECT {field}, ROW_NUMBER() OVER (ORDER BY {field}) AS RowNum, COUNT(*) OVER() AS TotalRows FROM {table} WHERE {whereField} = @whereValue) temp WHERE RowNum BETWEEN (TotalRows/2) + 1 AND (TotalRows/2) + 2;"; using (var command = new SQLiteCommand(query, conn)) { + command.Parameters.AddWithValue("@whereValue", whereValue); return (double)command.ExecuteScalar(); } } @@ -8971,7 +8980,6 @@ FROM Quests return soloQuests * 100.0 / totalQuests; } - #endregion #region compendium