Merge pull request from GHSA-rrp4-2xx3-mv29

Security: fix vulnerability where `-database` parameter accepts arbitrary DSN strings
This commit is contained in:
dm-2 2022-01-18 15:59:32 +00:00 committed by GitHub
commit 1f780ae973
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 7 additions and 1 deletions

View File

@ -18,7 +18,7 @@ function build {
GOOS=$3 GOOS=$3
GOARCH=$4 GOARCH=$4
if ! go version | egrep -q 'go(1\.1[56])' ; then if ! go version | egrep -q 'go1\.(1[5-9]|[2-9][0-9]{1})' ; then
echo "go version must be 1.15 or above" echo "go version must be 1.15 or above"
exit 1 exit 1
fi fi

View File

@ -8,6 +8,7 @@ package main
import ( import (
"flag" "flag"
"fmt" "fmt"
"net/url"
"os" "os"
"os/signal" "os/signal"
"syscall" "syscall"
@ -188,6 +189,11 @@ func main() {
log.Fatalf("--database must be provided and database name must not be empty, or --alter must specify database name") log.Fatalf("--database must be provided and database name must not be empty, or --alter must specify database name")
} }
} }
if err := flag.Set("database", url.QueryEscape(migrationContext.DatabaseName)); err != nil {
migrationContext.Log.Fatale(err)
}
if migrationContext.OriginalTableName == "" { if migrationContext.OriginalTableName == "" {
if parser.HasExplicitTable() { if parser.HasExplicitTable() {
migrationContext.OriginalTableName = parser.GetExplicitTable() migrationContext.OriginalTableName = parser.GetExplicitTable()