aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFChannel <=>2021-01-18 04:41:21 -0800
committerFChannel <=>2021-01-18 04:41:21 -0800
commit8244af05eaa9f66df12095c76309b454bde525d7 (patch)
treeb96a62c2af1597ab77dbaf042c54e43c680b5bc1
parent78ccd8e434d24dccaeec0c1c6fb14f5c991bd567 (diff)
fixed sql injection vulnerabilites.
-rw-r--r--Database.go313
-rw-r--r--Follow.go33
-rw-r--r--OutboxPost.go5
-rw-r--r--main.go20
-rw-r--r--outboxGet.go11
-rw-r--r--verification.go83
6 files changed, 278 insertions, 187 deletions
diff --git a/Database.go b/Database.go
index ae8ee47..f7b011d 100644
--- a/Database.go
+++ b/Database.go
@@ -10,9 +10,10 @@ import "regexp"
func GetActorFromDB(db *sql.DB, id string) Actor {
var nActor Actor
-
- query := fmt.Sprintf("SELECT type, id, name, preferedusername, inbox, outbox, following, followers, restricted, summary from actor where id='%s'", id)
- rows, err := db.Query(query)
+
+ query :=`select type, id, name, preferedusername, inbox, outbox, following, followers, restricted, summary from actor where id=$1`
+
+ rows, err := db.Query(query, id)
if CheckError(err, "could not get actor from db query") != nil {
return nActor
@@ -31,17 +32,17 @@ func GetActorFromDB(db *sql.DB, id string) Actor {
func CreateNewBoardDB(db *sql.DB, actor Actor) Actor{
- query := fmt.Sprintf("INSERT INTO actor (type, id, name, preferedusername, inbox, outbox, following, followers, summary) values ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s')", actor.Type, actor.Id, actor.Name, actor.PreferredUsername, actor.Inbox, actor.Outbox, actor.Following, actor.Followers, actor.Summary)
+ query := `insert into actor (type, id, name, preferedusername, inbox, outbox, following, followers, summary) values ($1, $2, $3, $4, $5, $6, $7, $8, $9)`
- _, err := db.Exec(query)
+ _, err := db.Exec(query, actor.Type, actor.Id, actor.Name, actor.PreferredUsername, actor.Inbox, actor.Outbox, actor.Following, actor.Followers, actor.Summary)
if err != nil {
fmt.Println("board exists")
} else {
fmt.Println("board added")
- for _, e := range actor.AuthRequirement {
- query = fmt.Sprintf("INSERT INTO actorauth (type, board) values ('%s', '%s')", e, actor.Name)
- _, err := db.Exec(query)
+ for _, e := range actor.AuthRequirement {
+ query = `insert into actorauth (type, board) values ($1, $2)`
+ _, err := db.Exec(query, e, actor.Name)
CheckError(err, "auth exists")
}
@@ -91,9 +92,9 @@ func CreateNewBoardDB(db *sql.DB, actor Actor) Actor{
func GetBoards(db *sql.DB) []Actor {
var board []Actor
-
- query := fmt.Sprintf("select type, id, name, preferedusername, inbox, outbox, following, followers FROM actor")
+ query := `select type, id, name, preferedusername, inbox, outbox, following, followers FROM actor`
+
rows, err := db.Query(query)
CheckError(err, "could not get boards from db query")
@@ -145,8 +146,9 @@ func writeObjectToDB(db *sql.DB, obj ObjectBase) ObjectBase {
}
func WriteObjectUpdatesToDB(db *sql.DB, obj ObjectBase) {
- query := fmt.Sprintf("update activitystream set updated='%s' where id='%s'", time.Now().Format(time.RFC3339), obj.Id)
- _, e := db.Exec(query)
+ query := `update activitystream set updated=$1 where id=$2`
+
+ _, e := db.Exec(query, time.Now().Format(time.RFC3339), obj.Id)
if e != nil{
fmt.Println("error inserting updating inreplyto")
@@ -155,15 +157,15 @@ func WriteObjectUpdatesToDB(db *sql.DB, obj ObjectBase) {
}
func WriteObjectReplyToLocalDB(db *sql.DB, id string, replyto string) {
- query := fmt.Sprintf("insert into replies (id, inreplyto) values ('%s', '%s')", id, replyto)
+ query := `insert into replies (id, inreplyto) values ($1, $2)`
- _, err := db.Exec(query)
+ _, err := db.Exec(query, id, replyto)
CheckError(err, "Could not insert local reply query")
- query = fmt.Sprintf("select inreplyto from replies where id='%s'", replyto)
+ query = `select inreplyto from replies where id=$1`
- rows, err := db.Query(query)
+ rows, err := db.Query(query,replyto)
CheckError(err, "Could not query select inreplyto")
@@ -173,10 +175,10 @@ func WriteObjectReplyToLocalDB(db *sql.DB, id string, replyto string) {
var val string
rows.Scan(&val)
if val == "" {
- updated := time.Now().Format(time.RFC3339)
- query := fmt.Sprintf("update activitystream set updated='%s' where id='%s'", updated, replyto)
+ updated := time.Now().Format(time.RFC3339)
+ query := `update activitystream set updated=$1 where id=$2`
- _, err := db.Exec(query)
+ _, err := db.Exec(query, updated, replyto)
CheckError(err, "error with updating replyto updated at date")
}
@@ -186,8 +188,9 @@ func WriteObjectReplyToLocalDB(db *sql.DB, id string, replyto string) {
func writeObjectReplyToDB(db *sql.DB, obj ObjectBase) {
for i, e := range obj.InReplyTo {
if(i == 0 || IsReplyInThread(db, obj.InReplyTo[0].Id, e.Id)){
- query := fmt.Sprintf("insert into replies (id, inreplyto) values ('%s', '%s')", obj.Id, e.Id)
- _, err := db.Exec(query)
+ query := `insert into replies (id, inreplyto) values ($1, $2)`
+
+ _, err := db.Exec(query, obj.Id, e.Id)
if err != nil{
fmt.Println("error inserting replies")
@@ -214,14 +217,15 @@ func WriteWalletToDB(db *sql.DB, obj ObjectBase) {
for _, e := range obj.Option {
if e == "wallet" {
for _, e := range obj.Wallet {
- query := fmt.Sprintf("insert into wallet (id, type, address) values ('%s', '%s', '%s')", obj.Id ,e.Type, e.Address)
- _, err := db.Exec(query)
+ query := `insert into wallet (id, type, address) values ($1, $2, $3)`
+
+ _, err := db.Exec(query, obj.Id ,e.Type, e.Address)
CheckError(err, "error with write wallet query")
}
return
}
- }
+ }
}
func writeActivitytoDB(db *sql.DB, obj ObjectBase) {
@@ -229,10 +233,10 @@ func writeActivitytoDB(db *sql.DB, obj ObjectBase) {
obj.Name = EscapeString(obj.Name)
obj.Content = EscapeString(obj.Content)
obj.AttributedTo = EscapeString(obj.AttributedTo)
-
- query := fmt.Sprintf("insert into activitystream (id, type, name, content, published, updated, attributedto, actor) values ('%s', '%s', E'%s', E'%s', '%s', '%s', E'%s', '%s')", obj.Id ,obj.Type, obj.Name, obj.Content, obj.Published, obj.Updated, obj.AttributedTo, obj.Actor.Id)
- _, e := db.Exec(query)
+ query := `insert into activitystream (id, type, name, content, published, updated, attributedto, actor) values ($1, $2, $3, $4, $5, $6, $7, $8)`
+
+ _, e := db.Exec(query, obj.Id ,obj.Type, obj.Name, obj.Content, obj.Published, obj.Updated, obj.AttributedTo, obj.Actor.Id)
if e != nil{
fmt.Println("error inserting new activity")
@@ -245,10 +249,10 @@ func writeActivitytoDBWithAttachment(db *sql.DB, obj ObjectBase, attachment Obje
obj.Name = EscapeString(obj.Name)
obj.Content = EscapeString(obj.Content)
obj.AttributedTo = EscapeString(obj.AttributedTo)
-
- query := fmt.Sprintf("insert into activitystream (id, type, name, content, attachment, preview, published, updated, attributedto, actor) values ('%s', '%s', E'%s', E'%s', '%s', '%s', '%s', '%s', E'%s', '%s')", obj.Id ,obj.Type, obj.Name, obj.Content, attachment.Id, preview.Id, obj.Published, obj.Updated, obj.AttributedTo, obj.Actor.Id)
- _, e := db.Exec(query)
+ query := `insert into activitystream (id, type, name, content, attachment, preview, published, updated, attributedto, actor) values ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)`
+
+ _, e := db.Exec(query, obj.Id ,obj.Type, obj.Name, obj.Content, attachment.Id, preview.Id, obj.Published, obj.Updated, obj.AttributedTo, obj.Actor.Id)
if e != nil{
fmt.Println("error inserting new activity with attachment")
@@ -257,9 +261,9 @@ func writeActivitytoDBWithAttachment(db *sql.DB, obj ObjectBase, attachment Obje
}
func writeAttachmentToDB(db *sql.DB, obj ObjectBase) {
- query := fmt.Sprintf("insert into activitystream (id, type, name, href, published, updated, attributedTo, mediatype, size) values ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%d');", obj.Id ,obj.Type, obj.Name, obj.Href, obj.Published, obj.Updated, obj.AttributedTo, obj.MediaType, obj.Size)
+ query := `insert into activitystream (id, type, name, href, published, updated, attributedTo, mediatype, size) values ($1, $2, $3, $4, $5, $6, $7, $8, $9)`
- _, e := db.Exec(query)
+ _, e := db.Exec(query, obj.Id ,obj.Type, obj.Name, obj.Href, obj.Published, obj.Updated, obj.AttributedTo, obj.MediaType, obj.Size)
if e != nil{
fmt.Println("error inserting new attachment")
@@ -268,9 +272,9 @@ func writeAttachmentToDB(db *sql.DB, obj ObjectBase) {
}
func WritePreviewToDB(db *sql.DB, obj NestedObjectBase) {
- query := fmt.Sprintf("insert into activitystream (id, type, name, href, published, updated, attributedTo, mediatype, size) values ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%d');", obj.Id ,obj.Type, obj.Name, obj.Href, obj.Published, obj.Updated, obj.AttributedTo, obj.MediaType, obj.Size)
+ query := `insert into activitystream (id, type, name, href, published, updated, attributedTo, mediatype, size) values ($1, $2, $3, $4, $5, $6, $7, $8, $9)`
- _, e := db.Exec(query)
+ _, e := db.Exec(query, obj.Id ,obj.Type, obj.Name, obj.Href, obj.Published, obj.Updated, obj.AttributedTo, obj.MediaType, obj.Size)
if e != nil{
fmt.Println("error inserting new attachment")
@@ -282,9 +286,9 @@ func GetActivityFromDB(db *sql.DB, id string) Collection {
var nColl Collection
var result []ObjectBase
- query := fmt.Sprintf("SELECT actor, id, name, content, type, published, updated, attributedto, attachment, preview, actor FROM activitystream WHERE id='%s' ORDER BY updated asc;", id)
+ query := `select actor, id, name, content, type, published, updated, attributedto, attachment, preview, actor from activitystream where id=$1 order by updated asc`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, id)
CheckError(err, "error query object from db")
@@ -321,9 +325,9 @@ func GetObjectFromDB(db *sql.DB, actor Actor) Collection {
var nColl Collection
var result []ObjectBase
- query := fmt.Sprintf("SELECT id, name, content, type, published, updated, attributedto, attachment, preview, actor FROM activitystream WHERE actor='%s' AND id IN (SELECT id FROM replies WHERE inreplyto='') AND type='Note' ORDER BY updated asc;", actor.Id)
+ query := `select id, name, content, type, published, updated, attributedto, attachment, preview, actor from activitystream where actor=$1 and id in (select id from replies where inreplyto='') and type='Note' order by updated asc`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, actor.Id)
CheckError(err, "error query object from db")
@@ -359,9 +363,9 @@ func GetObjectFromDB(db *sql.DB, actor Actor) Collection {
func GetInReplyToDB(db *sql.DB, parent ObjectBase) []ObjectBase {
var result []ObjectBase
- query := fmt.Sprintf("SELECT inreplyto FROM replies WHERE id ='%s'", parent.Id)
+ query := `select inreplyto from replies where id =$1`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, parent.Id)
CheckError(err, "error with inreplyto db query")
@@ -382,10 +386,10 @@ func GetObjectRepliesDB(db *sql.DB, parent ObjectBase) *CollectionBase {
var nColl CollectionBase
var result []ObjectBase
-
- query := fmt.Sprintf("SELECT id, name, content, type, published, attributedto, attachment, preview, actor FROM activitystream WHERE id IN (SELECT id FROM replies WHERE inreplyto='%s') AND type='Note' ORDER BY published asc;", parent.Id)
- rows, err := db.Query(query)
+ query := `select id, name, content, type, published, attributedto, attachment, preview, actor from activitystream WHERE id in (select id from replies where inreplyto=$1) and type='Note' order by published asc`
+
+ rows, err := db.Query(query, parent.Id)
CheckError(err, "error with replies db query")
@@ -431,10 +435,10 @@ func GetObjectRepliesDB(db *sql.DB, parent ObjectBase) *CollectionBase {
func GetObjectRepliesRemote(db *sql.DB, parent ObjectBase) CollectionBase {
var nColl CollectionBase
- var result []ObjectBase
- query := fmt.Sprintf("select id from replies where id not in (select id from activitystream) and inreplyto='%s'", parent.Id)
+ var result []ObjectBase
+ query := `select id from replies where id not in (select id from activitystream) and inreplyto=$1`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, parent.Id)
CheckError(err, "could not get remote id query")
@@ -460,9 +464,9 @@ func GetObjectRepliesRepliesDB(db *sql.DB, parent ObjectBase) *CollectionBase {
var nColl CollectionBase
var result []ObjectBase
- query := fmt.Sprintf("SELECT id, name, content, type, published, attributedto, attachment, preview, actor FROM activitystream WHERE id IN (SELECT id FROM replies WHERE inreplyto='%s') AND type='Note' ORDER BY published asc;", parent.Id)
+ query := `select id, name, content, type, published, attributedto, attachment, preview, actor from activitystream where id in (select id from replies where inreplyto=$1) and type='Note' order by published asc`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, parent.Id)
CheckError(err, "error with replies replies db query")
@@ -506,36 +510,26 @@ func GetObjectRepliesDBCount(db *sql.DB, parent ObjectBase) (int, int) {
var countId int
var countImg int
+
+ query := `select count(id) from replies where inreplyto=$1 and id in (select id from activitystream where type='Note')`
- query := fmt.Sprintf("SELECT COUNT(id) FROM replies WHERE inreplyto ='%s' and id in (select id from activitystream where type='Note');", parent.Id)
-
- rows, err := db.Query(query)
+ rows, err := db.Query(query, parent.Id)
CheckError(err, "error with replies count db query")
defer rows.Close()
- for rows.Next() {
- err = rows.Scan(&countId)
-
- if err !=nil{
- fmt.Println("error with replies count db scan")
- }
- }
+ rows.Next()
+ rows.Scan(&countId)
- query = fmt.Sprintf("SELECT COUNT(attachment) FROM activitystream WHERE id IN (SELECT id FROM replies WHERE inreplyto ='%s') AND attachment != '';", parent.Id)
+ query = `select count(attachment) from activitystream where id in (select id from replies where inreplyto=$1) and attachment != ''`
- rows, err = db.Query(query)
+ rows, err = db.Query(query, parent.Id)
CheckError(err, "error with select attachment count db query")
defer rows.Close()
- for rows.Next() {
- err = rows.Scan(&countImg)
-
- if err !=nil{
- fmt.Println("error with replies count db scan")
- }
- }
+ rows.Next()
+ rows.Scan(&countImg)
return countId, countImg
}
@@ -543,10 +537,10 @@ func GetObjectRepliesDBCount(db *sql.DB, parent ObjectBase) (int, int) {
func GetObjectAttachment(db *sql.DB, id string) []ObjectBase {
var attachments []ObjectBase
-
- query := fmt.Sprintf("SELECT id, type, name, href, mediatype, size, published FROM activitystream WHERE id='%s'", id)
- rows, err := db.Query(query)
+ query := `select id, type, name, href, mediatype, size, published from activitystream where id=$1`
+
+ rows, err := db.Query(query, id)
CheckError(err, "could not select object attachment query")
@@ -569,10 +563,10 @@ func GetObjectAttachment(db *sql.DB, id string) []ObjectBase {
func GetObjectPreview(db *sql.DB, id string) *NestedObjectBase {
var preview NestedObjectBase
-
- query := fmt.Sprintf("SELECT id, type, name, href, mediatype, size, published FROM activitystream WHERE id='%s'", id)
- rows, err := db.Query(query)
+ query := `select id, type, name, href, mediatype, size, published from activitystream where id=$1`
+
+ rows, err := db.Query(query, id)
CheckError(err, "could not select object preview query")
@@ -587,9 +581,9 @@ func GetObjectPreview(db *sql.DB, id string) *NestedObjectBase {
func GetObjectPostsTotalDB(db *sql.DB, actor Actor) int{
count := 0
- query := fmt.Sprintf("SELECT COUNT(id) FROM activitystream WHERE actor='%s' AND id IN (SELECT id FROM replies WHERE inreplyto='' AND type='Note');", actor.Id)
+ query := `select count(id) from activitystream where actor=$1 and id in (select id from replies where inreplyto='' and type='Note')`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, actor.Id)
CheckError(err, "could not select post total count query")
@@ -605,9 +599,9 @@ func GetObjectPostsTotalDB(db *sql.DB, actor Actor) int{
func GetObjectImgsTotalDB(db *sql.DB, actor Actor) int{
count := 0
- query := fmt.Sprintf("SELECT COUNT(attachment) FROM activitystream WHERE actor='%s' AND id IN (SELECT id FROM replies WHERE inreplyto='' AND type='Note' );", actor.Id)
+ query := `select count(attachment) from activitystream where actor=$1 and id in (select id from replies where inreplyto='' and type='Note' )`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, actor.Id)
CheckError(err, "error with posts total db query")
@@ -622,11 +616,13 @@ func GetObjectImgsTotalDB(db *sql.DB, actor Actor) int{
}
-func DeleteAttachmentFromFile(db *sql.DB, id string) {
-
- var query = fmt.Sprintf("select href, type from activitystream where id in (select attachment from activitystream where id='%s')", id)
- rows, err := db.Query(query)
+func DeletePreviewFromFile(db *sql.DB, id string) {
+
+ var query = `select href, type from activitystream where id in (select preview from activitystream where id=$1)`
+ // var query = fmt.Sprintf("select href, type from activitystream where id in (select attachment from activitystream where id='%s')", id)
+
+ rows, err := db.Query(query, id)
CheckError(err, "error query delete attachment")
@@ -635,13 +631,13 @@ func DeleteAttachmentFromFile(db *sql.DB, id string) {
var href string
var _type string
err := rows.Scan(&href, &_type)
+ fmt.Println(href)
href = strings.Replace(href, Domain + "/", "", 1)
-
+ fmt.Println(href)
CheckError(err, "error scanning delete attachment")
if _type != "Tombstone" {
_, err = os.Stat(href)
- CheckError(err, "err removing file from system")
if err == nil {
os.Remove(href)
}
@@ -649,14 +645,65 @@ func DeleteAttachmentFromFile(db *sql.DB, id string) {
}
+ DeletePreviewFromDB(db, id)
+}
+
+func DeleteAttachmentFromFile(db *sql.DB, id string) {
+
+ var query = `select href, type from activitystream where id in (select attachment from activitystream where id=$1)`
+ // var query = fmt.Sprintf("select href, type from activitystream where id in (select attachment from activitystream where id='%s')", id)
+
+ rows, err := db.Query(query, id)
+
+ CheckError(err, "error query delete attachment")
+
+ defer rows.Close()
+ for rows.Next() {
+ var href string
+ var _type string
+
+ err := rows.Scan(&href, &_type)
+ href = strings.Replace(href, Domain + "/", "", 1)
+
+ CheckError(err, "error scanning delete preview")
+
+ if _type != "Tombstone" {
+ _, err = os.Stat(href)
+ if err == nil {
+ os.Remove(href)
+ }
+ }
+ }
+
DeleteAttachmentFromDB(db, id)
}
+func DeletePreviewRepliesFromDB(db *sql.DB, id string) {
+ var query = `select id from activitystream where id in (select id from replies where inreplyto=$1)`
+ // var query = fmt.Sprintf("select id from activitystream where id (select id from replies where inreplyto='%s');", id)
+
+ rows, err := db.Query(query, id)
+
+ CheckError(err, "error query delete preview replies")
+
+ defer rows.Close()
+ for rows.Next() {
+ var attachment string
+
+ err := rows.Scan(&attachment)
+
+ CheckError(err, "error scanning delete preview")
+
+ DeletePreviewFromFile(db, attachment)
+ }
+}
+
func DeleteAttachmentRepliesFromDB(db *sql.DB, id string) {
- var query = fmt.Sprintf("select id from activitystream where id (select id from replies where inreplyto='%s');", id)
+ var query = `select id from activitystream where id in (select id from replies where inreplyto=$1)`
+ // var query = fmt.Sprintf("select id from activitystream where id (select id from replies where inreplyto='%s');", id)
- rows, err := db.Query(query)
+ rows, err := db.Query(query, id)
CheckError(err, "error query delete attachment replies")
@@ -676,29 +723,61 @@ func DeleteAttachmentRepliesFromDB(db *sql.DB, id string) {
func DeleteAttachmentFromDB(db *sql.DB, id string) {
datetime := time.Now().Format(time.RFC3339)
- var query = fmt.Sprintf("update activitystream set type='Tombstone', mediatype='image/png', href='%s', name='', content='', attributedto='deleted', updated='%s', deleted='%s' where id in (select attachment from activitystream where id='%s');", Domain + "/public/removed.png", datetime, datetime, id)
+ var query = `update activitystream set type='Tombstone', mediatype='image/png', href=$1, name='', content='', attributedto='deleted', updated=$2, deleted=$3 where id in (select attachment from activitystream where id=$4)`
+ // var query = fmt.Sprintf("update activitystream set type='Tombstone', mediatype='image/png', href='%s', name='', content='', attributedto='deleted', updated='%s', deleted='%s' where id in (select attachment from activitystream where id='%s');", Domain + "/public/removed.png", datetime, datetime, id)
- _, err := db.Exec(query)
+ _, err := db.Exec(query, Domain + "/public/removed.png", datetime, datetime, id)
CheckError(err, "error with delete attachment")
}
+func DeletePreviewFromDB(db *sql.DB, id string) {
+ datetime := time.Now().Format(time.RFC3339)
+
+ var query = `update activitystream set type='Tombstone', mediatype='image/png', href=$1, name='', content='', attributedto='deleted', updated=$2, deleted=$3 where id in (select preview from activitystream where id=$4)`
+ // var query = fmt.Sprintf("update activitystream set type='Tombstone', mediatype='image/png', href='%s', name='', content='', attributedto='deleted', updated='%s', deleted='%s' where id in (select attachment from activitystream where id='%s');", Domain + "/public/removed.png", datetime, datetime, id)
+
+ _, err := db.Exec(query, Domain + "/public/removed.png", datetime, datetime, id)
+
+ CheckError(err, "error with delete preview")
+}
+
+func DeleteObjectRepliedTo(db *sql.DB, id string){
+ query := `delete from replies where id=$1`
+ _, err := db.Exec(query, id)
+
+ CheckError(err, "error with delete object replies")
+}
+
func DeleteObjectFromDB(db *sql.DB, id string) {
datetime := time.Now().Format(time.RFC3339)
- var query = fmt.Sprintf("update activitystream set type='Tombstone', name='', content='', attributedto='deleted', updated='%s', deleted='%s' where id='%s';", datetime, datetime, id)
+ var query = `update activitystream set type='Tombstone', name='', content='', attributedto='deleted', updated=$1, deleted=$2 where id=$3`
+ // var query = fmt.Sprintf("update activitystream set type='Tombstone', name='', content='', attributedto='deleted', updated='%s', deleted='%s' where id='%s';", datetime, datetime, id)
- _, err := db.Exec(query)
+ _, err := db.Exec(query, datetime, datetime, id)
- CheckError(err, "error with delete object")
+ CheckError(err, "error with delete object")
+ DeleteObjectsInReplyTo(db, id)
+ DeleteObjectRepliedTo(db, id)
+}
+
+func DeleteObjectsInReplyTo(db *sql.DB, id string) {
+ query := `delete from replies where id in (select id from replies where inreplyto=$1)`
+
+ _, err := db.Exec(query, id)
+
+ CheckError(err, "error with delete object replies to")
}
func DeleteObjectRepliesFromDB(db *sql.DB, id string) {
- datetime := time.Now().Format(time.RFC3339)
- var query = fmt.Sprintf("update activitystream set type='Tombstone', name='', content='', attributedto='deleted' updated='%s', deleted='%s' where id in (select id from replies where inreplyto='%s');", datetime, datetime, id)
+ datetime := time.Now().Format(time.RFC3339)
+
+ var query = `update activitystream set type='Tombstone', name='', content='', attributedto='deleted', updated=$1, deleted=$2 where id in (select id from replies where inreplyto=$3)`
+ // var query = fmt.Sprintf("update activitystream set type='Tombstone', name='', content='', attributedto='deleted' updated='%s', deleted='%s' where id in (select id from replies where inreplyto='%s');", datetime, datetime, id)
- _, err := db.Exec(query)
- CheckError(err, "error with delete object replies")
+ _, err := db.Exec(query, datetime, datetime, id)
+ CheckError(err, "error with delete object replies")
}
func DeleteObject(db *sql.DB, id string) {
@@ -706,10 +785,12 @@ func DeleteObject(db *sql.DB, id string) {
if(!IsIDLocal(db, id)) {
return
}
-
- DeleteObjectFromDB(db, id)
+
+
DeleteReportActivity(db, id)
- DeleteAttachmentFromFile(db, id)
+ DeleteAttachmentFromFile(db, id)
+ DeletePreviewFromFile(db, id)
+ DeleteObjectFromDB(db, id)
}
func DeleteObjectAndReplies(db *sql.DB, id string) {
@@ -717,16 +798,19 @@ func DeleteObjectAndReplies(db *sql.DB, id string) {
if(!IsIDLocal(db, id)) {
return
}
-
- DeleteObjectFromDB(db, id)
+
DeleteReportActivity(db, id)
- DeleteAttachmentFromFile(db, id)
+ DeleteAttachmentFromFile(db, id)
+ DeletePreviewFromFile(db, id)
DeleteObjectRepliesFromDB(db, id)
DeleteAttachmentRepliesFromDB(db, id)
+ DeletePreviewRepliesFromDB(db, id)
+ DeleteObjectFromDB(db, id)
}
func GetRandomCaptcha(db *sql.DB) string{
- query := fmt.Sprintf("select identifier from verification where type='captcha' order by random() limit 1")
+ query := `select identifier from verification where type='captcha' order by random() limit 1`
+
rows, err := db.Query(query)
CheckError(err, "could not get captcha")
@@ -744,7 +828,8 @@ func GetRandomCaptcha(db *sql.DB) string{
}
func GetCaptchaTotal(db *sql.DB) int{
- query := fmt.Sprintf("select count(*) from verification where type='captcha'")
+ query := `select count(*) from verification where type='captcha'`
+
rows, err := db.Query(query)
CheckError(err, "could not get query captcha total")
@@ -762,9 +847,10 @@ func GetCaptchaTotal(db *sql.DB) int{
}
func GetCaptchaCodeDB(db *sql.DB, verify string) string {
-
- query := fmt.Sprintf("select code from verification where identifier='%s' limit 1", verify)
- rows, err := db.Query(query)
+
+ query := `select code from verification where identifier=$1 limit 1`
+
+ rows, err := db.Query(query, verify)
CheckError(err, "could not get captcha verifciation")
@@ -781,9 +867,9 @@ func GetCaptchaCodeDB(db *sql.DB, verify string) string {
}
func GetActorAuth(db *sql.DB, actor string) []string {
- query := fmt.Sprintf("select type from actorauth where board='%s'", actor)
+ query := `select type from actorauth where board=$1`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, actor)
CheckError(err, "could not get actor auth")
@@ -804,9 +890,9 @@ func GetActorAuth(db *sql.DB, actor string) []string {
}
func DeleteCaptchaCodeDB(db *sql.DB, verify string) {
- query := fmt.Sprintf("delete from verification where identifier='%s'", verify)
+ query := `delete from verification where identifier=$1`
- _, err := db.Exec(query);
+ _, err := db.Exec(query, verify)
CheckError(err, "could not delete captcah code db")
@@ -818,15 +904,14 @@ func EscapeString(text string) string {
text = re.ReplaceAllString(text, "I love black people")
re = regexp.MustCompile("(?i)(n)+(\\s+)?(i)+(\\s+)?(g)(\\s+)?(g)+(\\s+)?")
text = re.ReplaceAllString(text, "I love black people")
- text = strings.Replace(text, "'", `''`, -1)
text = strings.Replace(text, "<", "&lt;", -1)
return text
}
func GetActorReportedTotal(db *sql.DB, id string) int {
- query := fmt.Sprintf("select count(id) from reported where board='%s'", id)
+ query := `select count(id) from reported where board=$1`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, id)
CheckError(err, "error getting actor reported total query")
@@ -843,9 +928,9 @@ func GetActorReportedTotal(db *sql.DB, id string) int {
func GetActorReportedDB(db *sql.DB, id string) []ObjectBase {
var nObj []ObjectBase
- query := fmt.Sprintf("select id, count from reported where board='%s'", id)
+ query := `select id, count from reported where board=$1`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, id)
CheckError(err, "error getting actor reported query")
diff --git a/Follow.go b/Follow.go
index 475417b..8fc6200 100644
--- a/Follow.go
+++ b/Follow.go
@@ -1,6 +1,5 @@
package main
-import "fmt"
import "net/http"
import "database/sql"
import _ "github.com/lib/pq"
@@ -44,10 +43,10 @@ func SetActorFollowDB(db *sql.DB, activity Activity, actor string) Activity {
}
}
if alreadyFollow {
- query = fmt.Sprintf("delete from following where id='%s' and following='%s'", activity.Actor.Id, activity.Object.Id)
+ query = `delete from following where id=$1 and following=$2`
activity.Summary = activity.Actor.Id + " Unfollow " + activity.Object.Id
} else {
- query = fmt.Sprintf("insert into following (id, following) values ('%s', '%s')", activity.Actor.Id, activity.Object.Id)
+ query = `insert into following (id, following) values ($1, $2)`
activity.Summary = activity.Actor.Id + " Follow " + activity.Object.Id
}
} else {
@@ -57,15 +56,15 @@ func SetActorFollowDB(db *sql.DB, activity Activity, actor string) Activity {
}
}
if alreadyFollow {
- query = fmt.Sprintf("delete from follower where id='%s' and follower='%s'", activity.Object.Id, activity.Actor.Id)
+ query = `delete from follower where id=$1 and follower=$2`
activity.Summary = activity.Actor.Id + " Unfollow " + activity.Object.Id
} else {
- query = fmt.Sprintf("insert into follower (id, follower) values ('%s', '%s')", activity.Object.Id, activity.Actor.Id)
+ query = `insert into follower (id, follower) values ($1, $2)`
activity.Summary = activity.Actor.Id + " Follow " + activity.Object.Id
}
}
- _, err := db.Exec(query)
+ _, err := db.Exec(query, activity.Actor.Id, activity.Object.Id)
CheckError(err, "error with follow db insert/delete")
@@ -76,9 +75,9 @@ func GetActorFollowDB(db *sql.DB, id string) ([]ObjectBase, []ObjectBase) {
var followingCollection []ObjectBase
var followerCollection []ObjectBase
- query := fmt.Sprintf("SELECT following FROM following WHERE id='%s'", id)
+ query := `select following from following where id=$1`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, id)
CheckError(err, "error with following db query")
@@ -94,9 +93,9 @@ func GetActorFollowDB(db *sql.DB, id string) ([]ObjectBase, []ObjectBase) {
followingCollection = append(followingCollection, obj)
}
- query = fmt.Sprintf("SELECT follower FROM follower WHERE id='%s'", id)
+ query = `select follower from follower where id=$1`
- rows, err = db.Query(query)
+ rows, err = db.Query(query, id)
CheckError(err, "error with followers db query")
@@ -119,9 +118,9 @@ func GetActorFollowTotal(db *sql.DB, id string) (int, int) {
var following int
var followers int
- query := fmt.Sprintf("SELECT COUNT(following) FROM following WHERE id='%s'", id)
+ query := `select count(following) from following where id=$1`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, id)
CheckError(err, "error with following total db query")
@@ -133,9 +132,9 @@ func GetActorFollowTotal(db *sql.DB, id string) (int, int) {
CheckError(err, "error with following total db scan")
}
- query = fmt.Sprintf("SELECT COUNT(follower) FROM follower WHERE id='%s'", id)
+ query = `select count(follower) from follower where id=$1`
- rows, err = db.Query(query)
+ rows, err = db.Query(query, id)
CheckError(err, "error with followers total db query")
@@ -202,14 +201,14 @@ func SetActorFollowingDB(db *sql.DB, activity Activity) Activity{
}
if alreadyFollow {
- query = fmt.Sprintf("delete from follower where id='%s' and follower='%s'", activity.Object.Id, activity.Actor.Id)
+ query = `delete from follower where id=$1 and follower=$2`
activity.Summary = activity.Actor.Id + " Unfollow " + activity.Object.Id
} else {
- query = fmt.Sprintf("insert into follower (id, follower) values ('%s', '%s')", activity.Object.Id, activity.Actor.Id)
+ query = `insert into follower (id, follower) values ($1, $2)`
activity.Summary = activity.Actor.Id + " Follow " + activity.Object.Id
}
- _, err := db.Exec(query)
+ _, err := db.Exec(query, activity.Object.Id, activity.Actor.Id)
if err != nil {
CheckError(err, "error with follow db insert/delete")
diff --git a/OutboxPost.go b/OutboxPost.go
index 9d39eff..dacf77e 100644
--- a/OutboxPost.go
+++ b/OutboxPost.go
@@ -107,10 +107,12 @@ func ParseOutboxRequest(w http.ResponseWriter, r *http.Request, db *sql.DB) {
verification := GetVerificationByCode(db, activity.Auth)
var rActivity Activity
-
+ fmt.Println("ok")
if validActor && validLocalActor && verification.Board == activity.Actor.Id || verification.Board == Domain {
+ fmt.Println("yes")
rActivity = AcceptFollow(activity, actor)
} else {
+ fmt.Println("no")
rActivity = RejectFollow(activity, actor)
rActivity.Summary = "No valid actor or Actor is not located here"
}
@@ -506,7 +508,6 @@ func CheckCaptcha(db *sql.DB, captcha string) bool {
func ParseInboxRequest(w http.ResponseWriter, r *http.Request, db *sql.DB) {
activity := GetActivityFromJson(r, db)
-
switch(activity.Type) {
case "Create":
for _, e := range activity.Object.InReplyTo {
diff --git a/main.go b/main.go
index 9de7e60..efc0b38 100644
--- a/main.go
+++ b/main.go
@@ -52,7 +52,8 @@ func main() {
if GetConfigValue("instancename") != "" {
CreateNewBoardDB(db, *CreateNewActor("", GetConfigValue("instancename"), GetConfigValue("instancesummary"), authReq, false))
}
-
+
+ CreateNewBoardDB(db, *CreateNewActor("m", "me", "me so go go", authReq, false))
// Allow access to public media folder
fileServer := http.FileServer(http.Dir("./public"))
@@ -219,8 +220,15 @@ func main() {
return
}
- id := values
- DeleteObject(db, id)
+ var obj ObjectBase
+ obj.Id = values
+
+ count, _ := GetObjectRepliesDBCount(db, obj)
+ if count == 0 {
+ DeleteObject(db, obj.Id)
+ } else {
+ DeleteObjectAndReplies(db, obj.Id)
+ }
w.Write([]byte(""))
})
@@ -248,6 +256,7 @@ func main() {
id := values
DeleteAttachmentFromFile(db, id)
+ DeletePreviewFromFile(db, id)
w.Write([]byte(""))
})
@@ -258,7 +267,6 @@ func main() {
header := r.Header.Get("Authorization")
auth := strings.Split(header, " ")
-
if close == "1" {
if !IsIDLocal(db, id) || len(auth) < 2 {
w.WriteHeader(http.StatusBadRequest)
@@ -266,6 +274,8 @@ func main() {
return
}
+
+
actor := GetActorFromPath(db, id, "/")
if !HasAuth(db, auth[1], actor.Id) {
@@ -584,7 +594,7 @@ func CreatePreviewObject(obj ObjectBase) *NestedObjectBase {
objFile := re.FindString(obj.Href)
- cmd := exec.Command("convert", "." + objFile ,"-resize", "250x250", "." + href)
+ cmd := exec.Command("convert", "." + objFile ,"-resize", "250x250>", "." + href)
err := cmd.Run()
diff --git a/outboxGet.go b/outboxGet.go
index 1747165..665ca05 100644
--- a/outboxGet.go
+++ b/outboxGet.go
@@ -1,6 +1,5 @@
package main
-import "fmt"
import "net/http"
import "database/sql"
import _ "github.com/lib/pq"
@@ -17,7 +16,7 @@ func GetActorOutbox(w http.ResponseWriter, r *http.Request, db *sql.DB) {
collection.Actor = actor.Id
collection.TotalItems = GetObjectPostsTotalDB(db, actor)
- collection.TotalImgs = GetObjectImgsTotalDB(db, actor)
+ collection.TotalImgs = GetObjectImgsTotalDB(db, actor)
enc, _ := json.MarshalIndent(collection, "", "\t")
w.Header().Set("Content-Type", "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"")
@@ -47,9 +46,9 @@ func GetCollectionFromPath(db *sql.DB, path string) Collection {
var nColl Collection
var result []ObjectBase
- query := fmt.Sprintf("SELECT id, name, content, type, published, attributedto, attachment, preview, actor FROM activitystream WHERE id='%s' ORDER BY published desc;", path)
+ query := `select id, name, content, type, published, attributedto, attachment, preview, actor from activitystream where id=$1 order by published desc`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, path)
CheckError(err, "error query collection path from db")
@@ -92,9 +91,9 @@ func GetObjectFromPath(db *sql.DB, path string) ObjectBase{
var nObj ObjectBase
var result []ObjectBase
- query := fmt.Sprintf("SELECT id, name, content, type, published, attributedto, attachment, preview, actor FROM activitystream WHERE id='%s' ORDER BY published desc;", path)
+ query := `select id, name, content, type, published, attributedto, attachment, preview, actor from activitystream where id=$1 order by published desc`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, path)
CheckError(err, "error query collection path from db")
diff --git a/verification.go b/verification.go
index c8d46be..b1ebe13 100644
--- a/verification.go
+++ b/verification.go
@@ -24,9 +24,9 @@ type VerifyCooldown struct {
}
func DeleteBoardMod(db *sql.DB, verify Verify) {
- query := fmt.Sprintf("select code from boardaccess where identifier='%s' and board='%s'", verify.Identifier, verify.Board)
+ query := `select code from boardaccess where identifier=$1 and board=$1`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, verify.Identifier, verify.Board)
CheckError(err, "could not select code from boardaccess")
@@ -37,16 +37,15 @@ func DeleteBoardMod(db *sql.DB, verify Verify) {
rows.Scan(&code)
if code != "" {
- query := fmt.Sprintf("delete from crossverification where code='%s'", code)
-
-
- _, err := db.Exec(query)
+ query := `delete from crossverification where code=$1`
+
+ _, err := db.Exec(query, code)
CheckError(err, "could not delete code from crossverification")
- query = fmt.Sprintf("delete from boardaccess where identifier='%s' and board='%s'", verify.Identifier, verify.Board)
+ query = `delete from boardaccess where identifier=$1 and board=$2`
- _, err = db.Exec(query)
+ _, err = db.Exec(query, verify.Identifier, verify.Board)
CheckError(err, "could not delete identifier from boardaccess")
}
@@ -55,9 +54,9 @@ func DeleteBoardMod(db *sql.DB, verify Verify) {
func GetBoardMod(db *sql.DB, identifier string) Verify{
var nVerify Verify
- query := fmt.Sprintf("select code, board, type, identifier from boardaccess where identifier='%s'", identifier)
+ query := `select code, board, type, identifier from boardaccess where identifier=$1`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, identifier)
CheckError(err, "could not select boardaccess query")
@@ -72,9 +71,9 @@ func GetBoardMod(db *sql.DB, identifier string) Verify{
func CreateBoardMod(db *sql.DB, verify Verify) {
pass := CreateKey(50)
- query := fmt.Sprintf("select code from verification where identifier='%s' and type='%s'", verify.Board, verify.Type)
+ query := `select code from verification where identifier=$1 and type=$2`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, verify.Board, verify.Type)
CheckError(err, "could not select verifcaiton query")
@@ -87,9 +86,9 @@ func CreateBoardMod(db *sql.DB, verify Verify) {
if code != "" {
- query := fmt.Sprintf("select identifier from boardaccess where identifier='%s' and board='%s'", verify.Identifier, verify.Board)
+ query := `select identifier from boardaccess where identifier=$1 and board=$2`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, verify.Identifier, verify.Board)
CheckError(err, "could not select idenifier from boardaccess")
@@ -101,15 +100,15 @@ func CreateBoardMod(db *sql.DB, verify Verify) {
if ident != verify.Identifier {
- query := fmt.Sprintf("insert into crossverification (verificationcode, code) values ('%s', '%s')", code, pass)
+ query := `insert into crossverification (verificationcode, code) values ($1, $2)`
- _, err := db.Exec(query)
+ _, err := db.Exec(query, code, pass)
CheckError(err, "could not insert new crossverification")
- query = fmt.Sprintf("insert into boardaccess (identifier, code, board, type) values ('%s', '%s', '%s', '%s')", verify.Identifier, pass, verify.Board, verify.Type)
+ query = `insert into boardaccess (identifier, code, board, type) values ($1, $2, $3, $4)`
- _, err = db.Exec(query)
+ _, err = db.Exec(query, verify.Identifier, pass, verify.Board, verify.Type)
CheckError(err, "could not insert new boardaccess")
@@ -119,9 +118,9 @@ func CreateBoardMod(db *sql.DB, verify Verify) {
}
func CreateVerification(db *sql.DB, verify Verify) {
- query := fmt.Sprintf("insert into verification (type, identifier, code, created) values ('%s', '%s', '%s', '%s') ", verify.Type, verify.Identifier, verify.Code, time.Now().Format(time.RFC3339))
+ query := `insert into verification (type, identifier, code, created) values ($1, $2, $3, $4)`
- _, err := db.Exec(query)
+ _, err := db.Exec(query, verify.Type, verify.Identifier, verify.Code, time.Now().Format(time.RFC3339))
CheckError(err, "error creating verify")
}
@@ -129,9 +128,9 @@ func CreateVerification(db *sql.DB, verify Verify) {
func GetVerificationByEmail(db *sql.DB, email string) Verify {
var verify Verify
- query := fmt.Sprintf("select type, identifier, code, board from boardaccess where identifier='%s';", email)
+ query := `select type, identifier, code, board from boardaccess where identifier=$1`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, email)
defer rows.Close()
@@ -151,9 +150,9 @@ func GetVerificationByEmail(db *sql.DB, email string) Verify {
func GetVerificationByCode(db *sql.DB, code string) Verify {
var verify Verify
- query := fmt.Sprintf("select type, identifier, code, board from boardaccess where code='%s';", code)
+ query := `select type, identifier, code, board from boardaccess where code=$1`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, code)
defer rows.Close()
@@ -173,18 +172,18 @@ func GetVerificationByCode(db *sql.DB, code string) Verify {
func VerifyCooldownCurrent(db *sql.DB, auth string) VerifyCooldown {
var current VerifyCooldown
-
- query := fmt.Sprintf("select identifier, code, time from verificationcooldown where code='%s'", auth)
- rows, err := db.Query(query)
+ query := `select identifier, code, time from verificationcooldown where code=$1`
+
+ rows, err := db.Query(query, auth)
defer rows.Close()
if err != nil {
- query := fmt.Sprintf("select identifier, code, time from verificationcooldown where identifier='%s'", auth)
+ query := `select identifier, code, time from verificationcooldown where identifier=$1`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, auth)
defer rows.Close()
@@ -213,16 +212,16 @@ func VerifyCooldownCurrent(db *sql.DB, auth string) VerifyCooldown {
}
func VerifyCooldownAdd(db *sql.DB, verify Verify) {
- query := fmt.Sprintf("insert into verficationcooldown (identifier, code) values ('%s', '%s');", verify.Identifier, verify.Code)
+ query := `insert into verficationcooldown (identifier, code) values ($1, $2)`
- _, err := db.Exec(query)
+ _, err := db.Exec(query, verify.Identifier, verify.Code)
CheckError(err, "error adding verify to cooldown")
}
func VerficationCooldown(db *sql.DB) {
-
- query := fmt.Sprintf("select identifier, code, time from verificationcooldown")
+
+ query := `select identifier, code, time from verificationcooldown`
rows, err := db.Query(query)
@@ -240,9 +239,9 @@ func VerficationCooldown(db *sql.DB) {
nTime := verify.Time - 1;
- query = fmt.Sprintf("update set time='%s' where identifier='%s'", nTime, verify.Identifier)
+ query = `update set time=$1 where identifier=$2`
- _, err := db.Exec(query)
+ _, err := db.Exec(query, nTime, verify.Identifier)
CheckError(err, "error with update cooldown query")
@@ -251,7 +250,7 @@ func VerficationCooldown(db *sql.DB) {
}
func VerficationCooldownRemove(db *sql.DB) {
- query := fmt.Sprintf("delete from verificationcooldown where time < 1;")
+ query := `delete from verificationcooldown where time < 1`
_, err := db.Exec(query)
@@ -398,20 +397,18 @@ func CreateNewCaptcha(db *sql.DB){
func CreateBoardAccess(db *sql.DB, verify Verify) {
if(!HasBoardAccess(db, verify)){
- query := fmt.Sprintf("insert into boardaccess (identifier, board) values('%s', '%s')",
- verify.Identifier, verify.Board)
-
- _, err := db.Exec(query)
+ query := `insert into boardaccess (identifier, board) values($1, $2)`
+
+ _, err := db.Exec(query, verify.Identifier, verify.Board)
CheckError(err, "could not instert verification and board into board access")
}
}
func HasBoardAccess(db *sql.DB, verify Verify) bool {
- query := fmt.Sprintf("select count(*) from boardaccess where identifier='%s' and board='%s'",
- verify.Identifier, verify.Board)
+ query := `select count(*) from boardaccess where identifier=$1 and board=$2`
- rows, err := db.Query(query)
+ rows, err := db.Query(query, verify.Identifier, verify.Board)
defer rows.Close()