Quote table and column identifiers using SQLAlchemy dialect preparer when adding missing columns to avoid SQL injection and syntax errors. (#1237 )

Merge pull request #1227 from WGDashboard/v4.3.3-quick-fix
Update wgd.sh
2026-04-17 10:26:18 +00:00 · 2026-04-16 20:56:16 +02:00 · 2026-04-10 16:27:04 +08:00 · 2026-04-10 16:18:12 +08:00 · 2026-04-10 15:50:10 +08:00 · 2026-04-10 15:45:26 +08:00
4 changed files with 8 additions and 13 deletions
--- a/src/modules/AmneziaPeer.py
+++ b/src/modules/AmneziaPeer.py
@@ -116,5 +116,5 @@ class AmneziaPeer(Peer):
            self.configuration.getPeers()
            return True, None
        except subprocess.CalledProcessError as exc:
-            current_app.logger.error(f"Subprocess call failed:\n{exc.output.decode("UTF-8")}")
+            current_app.logger.error(f"Subprocess call failed:\n{exc.output.decode('UTF-8')}")
            return False, "Internal server error"
--- a/src/modules/DashboardConfig.py
+++ b/src/modules/DashboardConfig.py
@@ -146,7 +146,10 @@ class DashboardConfig:
                        if col_name not in existing_columns:
                            type_str = col_type().compile(dialect=self.engine.dialect)
                            current_app.logger.info(f"Adding missing column '{col_name}' to table '{table_name}'")
-                            conn.execute(db.text(f'ALTER TABLE "{table_name}" ADD COLUMN "{col_name}" {type_str}'))
+                            preparer = self.engine.dialect.identifier_preparer
+                            quoted_table = preparer.quote_identifier(table_name)
+                            quoted_column = preparer.quote_identifier(col_name)
+                            conn.execute(db.text(f"ALTER TABLE {quoted_table} ADD COLUMN {quoted_column} {type_str}"))

    def getConnectionString(self, database) -> str or None:
        sqlitePath = os.path.join(DashboardConfig.ConfigurationPath, "db")
--- a/src/modules/Peer.py
+++ b/src/modules/Peer.py
@@ -151,7 +151,7 @@ class Peer:
                )
            return True, None
        except subprocess.CalledProcessError as exc:
-            current_app.logger.error(f"Subprocess call failed:\n{exc.output.decode("UTF-8")}")
+            current_app.logger.error(f"Subprocess call failed:\n{exc.output.decode('UTF-8')}")
            return False, "Internal server error"

    def downloadPeer(self) -> dict[str, str]:
--- a/src/wgd.sh
+++ b/src/wgd.sh
@@ -247,27 +247,19 @@ _checkWireguard(){


 _checkPythonVersion(){
-	version_pass=$($pythonExecutable -c 'import sys; print("1") if (sys.version_info.major == 3 and sys.version_info.minor >= 10) else print("0");')
+	version_pass=$($pythonExecutable -c 'import sys; print("1") if (sys.version_info.major == 3 and sys.version_info.minor >= 12) else print("0");')
 	version=$($pythonExecutable --version)
 	if [ $version_pass == "1" ]
 	  	then 
 	  		printf "[WGDashboard] %s Found compatible version of Python. Will be using %s to install WGDashboard.\n" "$heavy_checkmark" "$($pythonExecutable --version)"
 			return;
-	elif python3.10 --version > /dev/null 2>&1
-		then
-	 		printf "[WGDashboard] %s Found Python 3.10. Will be using [python3.10] to install WGDashboard.\n" "$heavy_checkmark"
-	 		pythonExecutable="python3.10"
-	elif python3.11 --version > /dev/null 2>&1
-    	 then
-    	 	printf "[WGDashboard] %s Found Python 3.11. Will be using [python3.11] to install WGDashboard.\n" "$heavy_checkmark"
-    	 	pythonExecutable="python3.11"
    elif python3.12 --version > /dev/null 2>&1
    	 then
    	 	printf "[WGDashboard] %s Found Python 3.12. Will be using [python3.12] to install WGDashboard.\n" "$heavy_checkmark"
    	 	pythonExecutable="python3.12"
 	else
 		printf "[WGDashboard] %s Could not find a compatible version of Python. Current Python is %s.\n" "$heavy_crossmark" "$version"
-		printf "[WGDashboard] WGDashboard required Python 3.10, 3.11 or 3.12. Halting install now.\n"
+		printf "[WGDashboard] WGDashboard required Python 3.12 or above. Halting install now.\n"
 		kill $TOP_PID
 	fi
 }
Author	SHA1	Message	Date
Mikhail Solovev	fedf7db8a4	Quote table and column identifiers using SQLAlchemy dialect preparer when adding missing columns to avoid SQL injection and syntax errors. (#1237 ) Some checks are pending CodeQL / Analyze (javascript) (push) Waiting to run Details CodeQL / Analyze (python) (push) Waiting to run Details Docker Build and Push / docker_build (push) Waiting to run Details Docker Build and Push / docker_scan (push) Blocked by required conditions Details	2026-04-16 20:56:16 +02:00
Donald Zou	cdd85b659c	Merge pull request #1227 from WGDashboard/v4.3.3-quick-fix Some checks failed CodeQL / Analyze (javascript) (push) Has been cancelled Details CodeQL / Analyze (python) (push) Has been cancelled Details Docker Build and Push / docker_build (push) Has been cancelled Details Docker Build and Push / docker_scan (push) Has been cancelled Details Mark stale issues and pull requests / stale (push) Has been cancelled Details Update wgd.sh	2026-04-10 16:27:04 +08:00
Donald Zou	42f9460369	Update wgd.sh	2026-04-10 16:18:12 +08:00
Donald Zou	ba11a7a355	Merge pull request #1226 from WGDashboard/v4.3.3-quick-fix Fixed quotation marks	2026-04-10 15:50:10 +08:00
Donald Zou	71f4449741	Fixed quotation marks	2026-04-10 15:45:26 +08:00
Donald Zou	081c63cd43	Merge pull request #1197 from WGDashboard/development v4.3.3 Merge	2026-04-10 14:50:10 +08:00