Prevent potential sql injection in get_game

This commit is contained in:
Jordan Christiansen
2020-05-04 08:45:24 -05:00
committed by Mathieu Comandon
parent ed35888182
commit d431ff3778
2 changed files with 11 additions and 2 deletions

View File

@@ -234,13 +234,16 @@ def get_games(
name_filter=None,
filter_installed=False,
filter_runner=None,
select="*",
select=None,
show_installed_first=False,
):
"""Get the list of every game in database."""
query = "select " + select + " from games"
query = "select * from games"
params = []
filters = []
if select:
query = "select ? from games"
params.append(select)
if name_filter:
params.append(name_filter)
filters.append("name LIKE ?")

View File

@@ -64,6 +64,12 @@ class TestPersonnalGameArchive(DatabaseTester):
game = pga.get_game_by_field("some-game", "slug")
self.assertEqual(game['directory'], '/foo')
def test_get_games_is_safe(self):
try:
pga.get_games(select="; asdf")
except OperationalError:
self.fail()
class TestDbCreator(DatabaseTester):
def test_can_generate_fields(self):