zishuo/sponge
1
0
Fork 0
mirror of https://github.com/zhufuyi/sponge.git synced 2025-10-04 08:26:24 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: whitelist names of embed models

Browse Source
This commit is contained in:
zhuyasen
2025-05-18 23:20:56 +08:00
parent d62a16ceb7
commit 7c90a8da10
2 changed files with 65 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/sql2code/parser/template.go
View File

@@ -24,6 +24,16 @@ func (m *{{.TableName}}) TableName() string {
return "{{.RawTableName}}"
}
{{end}}
`
tableColumnsTmpl *template.Template
tableColumnsTmplRaw = `
// {{.TableName}}ColumnNames Whitelist for custom query fields to prevent sql injection attacks
var {{.TableName}}ColumnNames = map[string]bool{
{{- range .Fields}}
"{{.ColName}}": true,
{{- end}}
}
`
modelTmpl *template.Template
@@ -730,6 +740,10 @@ func initTemplate() {
if err != nil {
errSum = errors.Wrap(err, "modelStructTmplRaw")
}
tableColumnsTmpl, err = template.New("tableColumns").Parse(tableColumnsTmplRaw)
if err != nil {
errSum = errors.Wrap(err, "tableColumnsTmplRaw")
}
modelTmpl, err = template.New("goFile").Parse(modelTmplRaw)
if err != nil {
errSum = errors.Wrap(errSum, "modelTmplRaw:"+err.Error())