Replace url-unsafe characters in base64 query data
This commit is contained in:
Dan Sosedoff
parent
586605557e
commit
540613645f
@ -281,7 +281,7 @@ func GetTableConstraints(c *gin.Context) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func HandleQuery(query string, c *gin.Context) {
|
func HandleQuery(query string, c *gin.Context) {
|
||||||
rawQuery, err := base64.StdEncoding.DecodeString(query)
|
rawQuery, err := base64.StdEncoding.DecodeString(desanitize64(query))
|
||||||
if err == nil {
|
if err == nil {
|
||||||
query = string(rawQuery)
|
query = string(rawQuery)
|
||||||
}
|
}
|
||||||
|
|||||||
@ -5,6 +5,7 @@ import (
|
|||||||
"mime"
|
"mime"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"strconv"
|
"strconv"
|
||||||
|
"strings"
|
||||||
|
|
||||||
"github.com/gin-gonic/gin"
|
"github.com/gin-gonic/gin"
|
||||||
|
|
||||||
@ -29,10 +30,31 @@ var allowedPaths = map[string]bool{
|
|||||||
"/api/history": true,
|
"/api/history": true,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// List of characters replaced by javascript code to make queries url-safe.
|
||||||
|
var base64subs = map[string]string{
|
||||||
|
"-": "+",
|
||||||
|
"_": "/",
|
||||||
|
".": "=",
|
||||||
|
}
|
||||||
|
|
||||||
type Error struct {
|
type Error struct {
|
||||||
Message string `json:"error"`
|
Message string `json:"error"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func NewError(err error) Error {
|
||||||
|
return Error{err.Error()}
|
||||||
|
}
|
||||||
|
|
||||||
|
func desanitize64(query string) string {
|
||||||
|
// Before feeding the string into decoded, we must "reconstruct" the base64 data.
|
||||||
|
// Javascript replaces a few characters to be url-safe.
|
||||||
|
for olds, news := range base64subs {
|
||||||
|
query = strings.Replace(query, olds, news, -1)
|
||||||
|
}
|
||||||
|
|
||||||
|
return query
|
||||||
|
}
|
||||||
|
|
||||||
func getSessionId(c *gin.Context) string {
|
func getSessionId(c *gin.Context) string {
|
||||||
id := c.Request.Header.Get("x-session-id")
|
id := c.Request.Header.Get("x-session-id")
|
||||||
if id == "" {
|
if id == "" {
|
||||||
@ -100,7 +122,3 @@ func assetContentType(name string) string {
|
|||||||
|
|
||||||
return result
|
return result
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewError(err error) Error {
|
|
||||||
return Error{err.Error()}
|
|
||||||
}
|
|
||||||
|
|||||||
19
pkg/api/helpers_test.go
Normal file
19
pkg/api/helpers_test.go
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
package api
|
||||||
|
|
||||||
|
import (
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
"testing"
|
||||||
|
)
|
||||||
|
|
||||||
|
func Test_desanitize64(t *testing.T) {
|
||||||
|
examples := map[string]string{
|
||||||
|
"test": "test",
|
||||||
|
"test+test+": "test-test-",
|
||||||
|
"test/test/": "test_test_",
|
||||||
|
"test=test==": "test.test..",
|
||||||
|
}
|
||||||
|
|
||||||
|
for expected, example := range examples {
|
||||||
|
assert.Equal(t, expected, desanitize64(example))
|
||||||
|
}
|
||||||
|
}
|
||||||
File diff suppressed because one or more lines are too long
@ -96,7 +96,7 @@ function explainQuery(query, cb) { apiCall("post", "/explain", { quer
|
|||||||
function disconnect(cb) { apiCall("post", "/disconnect", {}, cb); }
|
function disconnect(cb) { apiCall("post", "/disconnect", {}, cb); }
|
||||||
|
|
||||||
function encodeQuery(query) {
|
function encodeQuery(query) {
|
||||||
return window.btoa(query);
|
return window.btoa(query).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, ".");
|
||||||
}
|
}
|
||||||
|
|
||||||
function buildSchemaSection(name, objects) {
|
function buildSchemaSection(name, objects) {
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user