From 893435cca8093e4713e077785139989debe0bb1b Mon Sep 17 00:00:00 2001 From: Santo Cariotti Date: Thu, 18 Mar 2021 19:24:33 +0100 Subject: fix: security with single quote on queries This error was raised because it does not use the `prepare` method --- src/commit/models.rs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'src') diff --git a/src/commit/models.rs b/src/commit/models.rs index 2f1536b..7f6a9fc 100644 --- a/src/commit/models.rs +++ b/src/commit/models.rs @@ -108,15 +108,15 @@ impl Commit { None => "NULL".to_string(), }; raw_query += &format!( - "('{}', {}, '{}', '{}', '{}', '{}', '{}', '{}', '{}'),", + "('{}', {}, E'{}', '{}', '{}', E'{}', '{}', E'{}', '{}'),", commit.hash, tree, - commit.text, + commit.text.replace("'", "\\'"), commit.date, commit.author_email, - commit.author_name, + commit.author_name.replace("'", "\\'"), commit.committer_email, - commit.committer_name, + commit.committer_name.replace("'", "\\'"), commit.repository_url )[..] } -- cgit v1.2.3-18-g5258