Sanitize input #805

2025-12-06 17:15:38 -08:00 · 2024-09-26 07:21:58 +10:00
parent 2fec3b6607
commit 6233f4d646
2 changed files with 21 additions and 15 deletions
--- a/server/device.py
+++ b/server/device.py
@@ -4,7 +4,7 @@ import subprocess
 import conf
 import os
 import re
-from helper import timeNowTZ, get_setting, get_setting_value, list_to_where, resolve_device_name_dig, resolve_device_name_pholus, get_device_name_nbtlookup, get_device_name_nslookup, check_IP_format
+from helper import timeNowTZ, get_setting, get_setting_value, list_to_where, resolve_device_name_dig, resolve_device_name_pholus, get_device_name_nbtlookup, get_device_name_nslookup, check_IP_format, sanitize_SQL_input
 from logger import mylog, print_log
 from const import vendorsPath, vendorsPathNewest, sql_generateGuid

@@ -192,12 +192,12 @@ def create_new_devices (db):
                        {get_setting_value('NEWDEV_dev_NewDevice')}, 
                        {get_setting_value('NEWDEV_dev_SkipRepeated')}, 
                        {get_setting_value('NEWDEV_dev_ScanCycle')}, 
-                        '{get_setting_value('NEWDEV_dev_Owner')}', 
+                        '{sanitize_SQL_input(get_setting_value('NEWDEV_dev_Owner'))}', 
                        {get_setting_value('NEWDEV_dev_Favorite')}, 
-                        '{get_setting_value('NEWDEV_dev_Group')}', 
-                        '{get_setting_value('NEWDEV_dev_Comments')}', 
+                        '{sanitize_SQL_input(get_setting_value('NEWDEV_dev_Group'))}', 
+                        '{sanitize_SQL_input(get_setting_value('NEWDEV_dev_Comments'))}', 
                        {get_setting_value('NEWDEV_dev_LogEvents')}, 
-                        '{get_setting_value('NEWDEV_dev_Location')}'"""
+                        '{sanitize_SQL_input(get_setting_value('NEWDEV_dev_Location'))}'"""

    # Fetch data from CurrentScan
    current_scan_data = sql.execute("SELECT cur_MAC, cur_Name, cur_Vendor, cur_IP, cur_SyncHubNodeName, cur_NetworkNodeMAC, cur_PORT, cur_NetworkSite, cur_SSID, cur_Type FROM CurrentScan").fetchall()
@@ -232,19 +232,19 @@ def create_new_devices (db):
                        )
                        VALUES 
                        (
-                            '{cur_MAC}', 
-                            '{cur_Name}',
-                            '{cur_Vendor}', 
-                            '{cur_IP}', 
+                            '{sanitize_SQL_input(cur_MAC)}', 
+                            '{sanitize_SQL_input(cur_Name)}',
+                            '{sanitize_SQL_input(cur_Vendor)}', 
+                            '{sanitize_SQL_input(cur_IP)}', 
                            ?, 
                            ?, 
-                            '{cur_SyncHubNodeName}', 
+                            '{sanitize_SQL_input(cur_SyncHubNodeName)}', 
                            {sql_generateGuid},
-                            '{cur_NetworkNodeMAC}',
-                            '{cur_PORT}',
-                            '{cur_NetworkSite}', 
-                            '{cur_SSID}',
-                            '{cur_Type}', 
+                            '{sanitize_SQL_input(cur_NetworkNodeMAC)}',
+                            '{sanitize_SQL_input(cur_PORT)}',
+                            '{sanitize_SQL_input(cur_NetworkSite)}', 
+                            '{sanitize_SQL_input(cur_SSID)}',
+                            '{sanitize_SQL_input(cur_Type)}', 
                            {newDevDefaults}
                        )"""

--- a/server/helper.py
+++ b/server/helper.py
@@ -806,6 +806,12 @@ def sanitize_string(input):
    return input


+#-------------------------------------------------------------------------------
+def sanitize_SQL_input(val):
+    val = val.replace("'", '_')
+    return val
+
+
 #-------------------------------------------------------------------------------
 def generate_mac_links (html, deviceUrl):