Francois Gouget : testbot/orm: Protect DBIBackend::LoadItem() from invalid keys. - wine-commits

6 Jun 2022

Module: tools
Branch: master
Commit: dc8da3cac05d6b1b5c98cdec6c086d97f27c6986
URL:    https://source.winehq.org/git/tools.git/?a=commit;h=dc8da3cac05d6b1b5c98cdec...
Author: Francois Gouget fgouget@codeweavers.com
Date:   Fri Jun  3 19:21:44 2022 +0200
testbot/orm: Protect DBIBackend::LoadItem() from invalid keys.
Check that the requested key has the right number of parts to avoid a
crash during the SQL execution.
Signed-off-by: Francois Gouget fgouget@codeweavers.com
Signed-off-by: Alexandre Julliard julliard@winehq.org
---
testbot/lib/ObjectModel/DBIBackEnd.pm | 29 ++++++++++++++---------------
 1 file changed, 14 insertions(+), 15 deletions(-)

diff --git a/testbot/lib/ObjectModel/DBIBackEnd.pm b/testbot/lib/ObjectModel/DBIBackEnd.pm
index 07b838d..62332c1 100644
--- a/testbot/lib/ObjectModel/DBIBackEnd.pm
+++ b/testbot/lib/ObjectModel/DBIBackEnd.pm
@@ -169,22 +169,19 @@ sub BuildKeyWhere($$$)
 {
   my ($self, $PropertyDescriptors, $Where) = @_;
+  # Faster than join+map+grep
+  my $PartCount;
   foreach my $PropertyDescriptor (@{$PropertyDescriptors})
   {
-    if ($PropertyDescriptor->GetIsKey())
+    next if (!$PropertyDescriptor->GetIsKey());
+    foreach my $ColName (@{$PropertyDescriptor->GetColNames()})
     {
-      foreach my $ColName (@{$PropertyDescriptor->GetColNames()})
-      {
-        if ($Where ne "")
-        {
-          $Where .= " AND ";
-        }
-        $Where .= "$ColName = ?";
-      }
+      $Where .= " AND " if ($Where ne "");
+      $Where .= "$ColName = ?";
+      $PartCount++;
     }
   }
-
-  return $Where;
+  return ($PartCount, $Where);
 }
=pod
@@ -422,8 +419,10 @@ sub LoadItem($$$)
     $Where = join(" = ? AND ", @{$MasterColNames}) . " = ?";
     push @Data, @{$MasterColValues};
   }
-  $Where = $self->BuildKeyWhere($Collection->GetPropertyDescriptors(), $Where);
-  push @Data, $Collection->SplitKey($RequestedKey);
+  (my $PartCount, $Where) = $self->BuildKeyWhere($Collection->GetPropertyDescriptors(), $Where);
+  my @KeyParts = $Collection->SplitKey($RequestedKey);
+  return undef if ($PartCount != @KeyParts);
+  push @Data, @KeyParts;
my $Query = "SELECT $Fields FROM " . $Collection->GetTableName();
   if ($Where ne "")
@@ -572,7 +571,7 @@ sub BuildUpdateStatement($$$$)
   {
     $Where = join(" = ? AND ", @{$MasterColNames}) . " = ?";
   }
-  $Where = $self->BuildKeyWhere($PropertyDescriptors, $Where);
+  (my $_PartCount, $Where) = $self->BuildKeyWhere($PropertyDescriptors, $Where);
return "UPDATE $TableName SET $Fields WHERE $Where";
 }
@@ -713,7 +712,7 @@ sub DeleteItem($$)
     $Where = join(" = ? AND ", @{$MasterColNames}) . " = ?";
     push @Data, @{$MasterColValues};
   }
-  $Where = $self->BuildKeyWhere($Item->GetPropertyDescriptors(), $Where);
+  (my $_PartCount, $Where) = $self->BuildKeyWhere($Item->GetPropertyDescriptors(), $Where);
   push @Data, $Item->GetKeyComponents();
my $Statement = $self->GetDb()->prepare("DELETE FROM " .

    