fix(tui): harden EDITOR handling and SQL sort/order validation
Split EDITOR env var on whitespace so multi-word values like "code --wait" work correctly. Add allow-list switch for sort column and order direction at the query boundary to prevent future callers from passing unsanitized values into SQL.
This commit is contained in:
+10
-2
@@ -220,12 +220,20 @@ func (s *Store) List(params ListParams) ([]*Entity, error) {
|
||||
}
|
||||
|
||||
orderCol := "e.created_at"
|
||||
if params.Sort == "use_count" {
|
||||
switch params.Sort {
|
||||
case "use_count":
|
||||
orderCol = "e.use_count"
|
||||
case "created_at", "":
|
||||
orderCol = "e.created_at"
|
||||
default:
|
||||
orderCol = "e.created_at"
|
||||
}
|
||||
orderDir := "DESC"
|
||||
if strings.EqualFold(params.Order, "asc") {
|
||||
switch strings.ToLower(params.Order) {
|
||||
case "asc":
|
||||
orderDir = "ASC"
|
||||
default:
|
||||
orderDir = "DESC"
|
||||
}
|
||||
|
||||
limit := params.Limit
|
||||
|
||||
Reference in New Issue
Block a user