Mirrors/WGDashboard
1
0
Fork 0
mirror of https://github.com/donaldzou/WGDashboard.git synced 2026-04-17 02:16:17 +00:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

Quote table and column identifiers using SQLAlchemy dialect preparer when adding missing columns to avoid SQL injection and syntax errors. (#1237)
Some checks are pending
CodeQL / Analyze (javascript) (push) Waiting to run
Details
CodeQL / Analyze (python) (push) Waiting to run
Details
Docker Build and Push / docker_build (push) Waiting to run
Details
Docker Build and Push / docker_scan (push) Blocked by required conditions
Details

Browse Source
This commit is contained in:
Mikhail Solovev
2026-04-16 21:56:16 +03:00
committed by GitHub
parent cdd85b659c
commit fedf7db8a4
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/modules/DashboardConfig.py
View File

@@ -146,7 +146,10 @@ class DashboardConfig:
if col_name not in existing_columns:
type_str = col_type().compile(dialect=self.engine.dialect)
current_app.logger.info(f"Adding missing column '{col_name}' to table '{table_name}'")
conn.execute(db.text(f'ALTER TABLE "{table_name}" ADD COLUMN "{col_name}" {type_str}'))
preparer = self.engine.dialect.identifier_preparer
quoted_table = preparer.quote_identifier(table_name)
quoted_column = preparer.quote_identifier(col_name)
conn.execute(db.text(f"ALTER TABLE {quoted_table} ADD COLUMN {quoted_column} {type_str}"))
def getConnectionString(self, database) -> str or None:
sqlitePath = os.path.join(DashboardConfig.ConfigurationPath, "db")