From 2bd77e3bf93cf1d4d5e0afb101b4c1b0b3ba4703 Mon Sep 17 00:00:00 2001
From: Doriel Rivalet <100863878+DorielRivalet@users.noreply.github.com>
Date: Sun, 30 Apr 2023 08:40:24 -0300
Subject: [PATCH] fix(sqlite): security hotspots

---
 .../Class/DataAccessLayer/DatabaseManager.cs  | 24 ++++++++++++-------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/MHFZ_Overlay/Core/Class/DataAccessLayer/DatabaseManager.cs b/MHFZ_Overlay/Core/Class/DataAccessLayer/DatabaseManager.cs
index 7e2d63ca..5044452f 100644
--- a/MHFZ_Overlay/Core/Class/DataAccessLayer/DatabaseManager.cs
+++ b/MHFZ_Overlay/Core/Class/DataAccessLayer/DatabaseManager.cs
@@ -21,6 +21,7 @@
 using System.Threading;
 using System.Windows;
 using System.Windows.Controls;
+using System.Windows.Documents;
 using System.Windows.Media.Animation;
 using System.Windows.Media.Imaging;
 using Formatting = Newtonsoft.Json.Formatting;
@@ -2619,7 +2620,9 @@ private Dictionary<string, Dictionary<string, object>> CreateReferenceSchemaJSON
                                     // Set the table name
                                     using (var cmd2 = conn.CreateCommand())
                                     {
-                                        cmd2.CommandText = $"SELECT tbl_name FROM sqlite_master WHERE name='{objectName}'";
+                                        cmd2.CommandText = "SELECT tbl_name FROM sqlite_master WHERE name=@name";
+                                        cmd2.Parameters.AddWithValue("@name", objectName);
+
                                         var tableName = cmd2.ExecuteScalar().ToString();
 
                                         // Initialize the schema entry for the table if it doesn't exist
@@ -2640,7 +2643,9 @@ private Dictionary<string, Dictionary<string, object>> CreateReferenceSchemaJSON
                                     // Set the table name
                                     using (var cmd3 = conn.CreateCommand())
                                     {
-                                        cmd3.CommandText = $"SELECT tbl_name FROM sqlite_master WHERE name='{objectName}'";
+                                        cmd3.CommandText = "SELECT tbl_name FROM sqlite_master WHERE name=@name";
+                                        cmd3.Parameters.AddWithValue("@name", objectName);
+
                                         var tableName = cmd3.ExecuteScalar().ToString();
 
                                         // Initialize the schema entry for the table if it doesn't exist
@@ -6714,7 +6719,7 @@ GROUP BY
                                         lock (dataLoader.model.weaponUsageSync)
                                         {
                                             // Use the weaponTypeID, styleID, and runCount values to populate your
-                                            // livechart graph
+                                            // LiveChart graph
                                             // use a switch statement or a lookup table to convert the
                                             // weaponTypeID and styleID to their corresponding string names
 
@@ -8611,9 +8616,10 @@ FROM ActiveSkills
         /// <returns></returns>
         private static long GetMaxValueWithWhere(string field, string table, SQLiteConnection conn, string whereField, long whereValue)
         {
-            string query = $"SELECT MAX({field}) FROM {table} WHERE {whereField} = {whereValue}";
+            string query = $"SELECT MAX({field}) FROM {table} WHERE {whereField} = @whereValue";
             using (var command = new SQLiteCommand(query, conn))
             {
+                command.Parameters.AddWithValue("@whereValue", whereValue);
                 return (long)command.ExecuteScalar();
             }
         }
@@ -8629,9 +8635,10 @@ private static long GetMaxValueWithWhere(string field, string table, SQLiteConne
         /// <returns></returns>
         private static long GetMinValueWithWhere(string field, string table, SQLiteConnection conn, string whereField, long whereValue)
         {
-            string query = $"SELECT MIN({field}) FROM {table} WHERE {whereField} = {whereValue}";
+            string query = $"SELECT MIN({field}) FROM {table} WHERE {whereField} = @whereValue";
             using (var command = new SQLiteCommand(query, conn))
             {
+                command.Parameters.AddWithValue("@whereValue", whereValue);
                 return (long)command.ExecuteScalar();
             }
         }
@@ -8647,9 +8654,10 @@ private static long GetMinValueWithWhere(string field, string table, SQLiteConne
         /// <returns></returns>
         private static double GetAverageValueWithWhere(string field, string table, SQLiteConnection conn, string whereField, long whereValue)
         {
-            string query = $"SELECT AVG({field}) FROM {table} WHERE {whereField} = {whereValue}";
+            string query = $"SELECT AVG({field}) FROM {table} WHERE {whereField} = @whereValue";
             using (var command = new SQLiteCommand(query, conn))
             {
+                command.Parameters.AddWithValue("@whereValue", whereValue);
                 return (double)command.ExecuteScalar();
             }
         }
@@ -8666,9 +8674,10 @@ private static double GetAverageValueWithWhere(string field, string table, SQLit
         private static double GetMedianValueWithWhere(string field, string table, SQLiteConnection conn, string whereField, long whereValue)
         {
             // TODO: not sure if correct
-            string query = $"SELECT AVG({field}) FROM (SELECT {field}, ROW_NUMBER() OVER (ORDER BY {field}) AS RowNum, COUNT(*) OVER() AS TotalRows FROM {table} WHERE {whereField} = {whereValue}) temp WHERE RowNum BETWEEN (TotalRows/2) + 1 AND (TotalRows/2) + 2;";
+            string query = $"SELECT AVG({field}) FROM (SELECT {field}, ROW_NUMBER() OVER (ORDER BY {field}) AS RowNum, COUNT(*) OVER() AS TotalRows FROM {table} WHERE {whereField} = @whereValue) temp WHERE RowNum BETWEEN (TotalRows/2) + 1 AND (TotalRows/2) + 2;";
             using (var command = new SQLiteCommand(query, conn))
             {
+                command.Parameters.AddWithValue("@whereValue", whereValue);
                 return (double)command.ExecuteScalar();
             }
         }
@@ -8971,7 +8980,6 @@ FROM Quests
             return soloQuests * 100.0 / totalQuests;
         }
 
-
         #endregion
 
         #region compendium