updated sql statements sanitize input

sartography · Oct 19, 2023 · 4f10907 · 4f10907
1 parent 8cfd49f
commit 4f10907
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
@@ -33,8 +33,9 @@
 from spiffworkflow_backend.routes.openid_blueprint import openid_blueprint
 from spiffworkflow_backend.services.user_service import UserService
 from sqlalchemy import and_
+from sqlalchemy import func
+from sqlalchemy import literal
 from sqlalchemy import or_
-from sqlalchemy import text
 
 
 @dataclass
@@ -111,10 +112,11 @@ def has_permission(cls, principals: list[PrincipalModel], permission: str, targe
             .join(PermissionTargetModel)
             .filter(
                 or_(
-                    text(f"'{target_uri_normalized}' LIKE permission_target.uri"),
+                    # found from https://stackoverflow.com/a/46783555
+                    literal(target_uri_normalized).like(PermissionTargetModel.uri),
                     # to check for exact matches as well
                     # see test_user_can_access_base_path_when_given_wildcard_permission unit test
-                    text(f"'{target_uri_normalized}' = replace(replace(permission_target.uri, '/%', ''), ':%', '')"),
+                    func.REPLACE(func.REPLACE(PermissionTargetModel.uri, "/%", ""), ":%", "") == target_uri_normalized,
                 )
             )
             .all()