From d431ff377800a46b0833aeec5243d80ab2c020cb Mon Sep 17 00:00:00 2001
From: Jordan Christiansen <xordspar0@gmail.com>
Date: Mon, 4 May 2020 08:45:24 -0500
Subject: [PATCH] Prevent potential sql injection in get_game

---
 lutris/pga.py     | 7 +++++--
 tests/test_pga.py | 6 ++++++
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/lutris/pga.py b/lutris/pga.py
index cef289e1d..21e52c39b 100644
--- a/lutris/pga.py
+++ b/lutris/pga.py
@@ -234,13 +234,16 @@ def get_games(
     name_filter=None,
     filter_installed=False,
     filter_runner=None,
-    select="*",
+    select=None,
     show_installed_first=False,
 ):
     """Get the list of every game in database."""
-    query = "select " + select + " from games"
+    query = "select * from games"
     params = []
     filters = []
+    if select:
+        query = "select ? from games"
+        params.append(select)
     if name_filter:
         params.append(name_filter)
         filters.append("name LIKE ?")
diff --git a/tests/test_pga.py b/tests/test_pga.py
index dae3c8e43..b4857c8c1 100644
--- a/tests/test_pga.py
+++ b/tests/test_pga.py
@@ -64,6 +64,12 @@ class TestPersonnalGameArchive(DatabaseTester):
         game = pga.get_game_by_field("some-game", "slug")
         self.assertEqual(game['directory'], '/foo')
 
+    def test_get_games_is_safe(self):
+        try:
+            pga.get_games(select="; asdf")
+        except OperationalError:
+            self.fail()
+
 
 class TestDbCreator(DatabaseTester):
     def test_can_generate_fields(self):