Security: fix vulnerability where -database parameter accepts arbitrary DSN strings

This commit is contained in:
dm-2 2022-01-13 16:07:51 +00:00
parent e484824bbd
commit 83413c339e
2 changed files with 7 additions and 1 deletions

View File

@ -18,7 +18,7 @@ function build {
GOOS=$3
GOARCH=$4
if ! go version | egrep -q 'go(1\.1[56])' ; then
if ! go version | egrep -q 'go1\.(1[5-9]|[2-9][0-9]{1})' ; then
echo "go version must be 1.15 or above"
exit 1
fi

View File

@ -8,6 +8,7 @@ package main
import (
"flag"
"fmt"
"net/url"
"os"
"os/signal"
"syscall"
@ -188,6 +189,11 @@ func main() {
log.Fatalf("--database must be provided and database name must not be empty, or --alter must specify database name")
}
}
if err := flag.Set("database", url.QueryEscape(migrationContext.DatabaseName)); err != nil {
migrationContext.Log.Fatale(err)
}
if migrationContext.OriginalTableName == "" {
if parser.HasExplicitTable() {
migrationContext.OriginalTableName = parser.GetExplicitTable()