From 8244af05eaa9f66df12095c76309b454bde525d7 Mon Sep 17 00:00:00 2001 From: FChannel <=> Date: Mon, 18 Jan 2021 04:41:21 -0800 Subject: fixed sql injection vulnerabilites. --- Database.go | 313 +++++++++++++++++++++++++++++++++++--------------------- Follow.go | 33 +++--- OutboxPost.go | 5 +- main.go | 20 +++- outboxGet.go | 11 +- verification.go | 83 ++++++++------- 6 files changed, 278 insertions(+), 187 deletions(-) diff --git a/Database.go b/Database.go index ae8ee47..f7b011d 100644 --- a/Database.go +++ b/Database.go @@ -10,9 +10,10 @@ import "regexp" func GetActorFromDB(db *sql.DB, id string) Actor { var nActor Actor - - query := fmt.Sprintf("SELECT type, id, name, preferedusername, inbox, outbox, following, followers, restricted, summary from actor where id='%s'", id) - rows, err := db.Query(query) + + query :=`select type, id, name, preferedusername, inbox, outbox, following, followers, restricted, summary from actor where id=$1` + + rows, err := db.Query(query, id) if CheckError(err, "could not get actor from db query") != nil { return nActor @@ -31,17 +32,17 @@ func GetActorFromDB(db *sql.DB, id string) Actor { func CreateNewBoardDB(db *sql.DB, actor Actor) Actor{ - query := fmt.Sprintf("INSERT INTO actor (type, id, name, preferedusername, inbox, outbox, following, followers, summary) values ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s')", actor.Type, actor.Id, actor.Name, actor.PreferredUsername, actor.Inbox, actor.Outbox, actor.Following, actor.Followers, actor.Summary) + query := `insert into actor (type, id, name, preferedusername, inbox, outbox, following, followers, summary) values ($1, $2, $3, $4, $5, $6, $7, $8, $9)` - _, err := db.Exec(query) + _, err := db.Exec(query, actor.Type, actor.Id, actor.Name, actor.PreferredUsername, actor.Inbox, actor.Outbox, actor.Following, actor.Followers, actor.Summary) if err != nil { fmt.Println("board exists") } else { fmt.Println("board added") - for _, e := range actor.AuthRequirement { - query = fmt.Sprintf("INSERT INTO actorauth (type, board) values ('%s', '%s')", e, actor.Name) - _, err := db.Exec(query) + for _, e := range actor.AuthRequirement { + query = `insert into actorauth (type, board) values ($1, $2)` + _, err := db.Exec(query, e, actor.Name) CheckError(err, "auth exists") } @@ -91,9 +92,9 @@ func CreateNewBoardDB(db *sql.DB, actor Actor) Actor{ func GetBoards(db *sql.DB) []Actor { var board []Actor - - query := fmt.Sprintf("select type, id, name, preferedusername, inbox, outbox, following, followers FROM actor") + query := `select type, id, name, preferedusername, inbox, outbox, following, followers FROM actor` + rows, err := db.Query(query) CheckError(err, "could not get boards from db query") @@ -145,8 +146,9 @@ func writeObjectToDB(db *sql.DB, obj ObjectBase) ObjectBase { } func WriteObjectUpdatesToDB(db *sql.DB, obj ObjectBase) { - query := fmt.Sprintf("update activitystream set updated='%s' where id='%s'", time.Now().Format(time.RFC3339), obj.Id) - _, e := db.Exec(query) + query := `update activitystream set updated=$1 where id=$2` + + _, e := db.Exec(query, time.Now().Format(time.RFC3339), obj.Id) if e != nil{ fmt.Println("error inserting updating inreplyto") @@ -155,15 +157,15 @@ func WriteObjectUpdatesToDB(db *sql.DB, obj ObjectBase) { } func WriteObjectReplyToLocalDB(db *sql.DB, id string, replyto string) { - query := fmt.Sprintf("insert into replies (id, inreplyto) values ('%s', '%s')", id, replyto) + query := `insert into replies (id, inreplyto) values ($1, $2)` - _, err := db.Exec(query) + _, err := db.Exec(query, id, replyto) CheckError(err, "Could not insert local reply query") - query = fmt.Sprintf("select inreplyto from replies where id='%s'", replyto) + query = `select inreplyto from replies where id=$1` - rows, err := db.Query(query) + rows, err := db.Query(query,replyto) CheckError(err, "Could not query select inreplyto") @@ -173,10 +175,10 @@ func WriteObjectReplyToLocalDB(db *sql.DB, id string, replyto string) { var val string rows.Scan(&val) if val == "" { - updated := time.Now().Format(time.RFC3339) - query := fmt.Sprintf("update activitystream set updated='%s' where id='%s'", updated, replyto) + updated := time.Now().Format(time.RFC3339) + query := `update activitystream set updated=$1 where id=$2` - _, err := db.Exec(query) + _, err := db.Exec(query, updated, replyto) CheckError(err, "error with updating replyto updated at date") } @@ -186,8 +188,9 @@ func WriteObjectReplyToLocalDB(db *sql.DB, id string, replyto string) { func writeObjectReplyToDB(db *sql.DB, obj ObjectBase) { for i, e := range obj.InReplyTo { if(i == 0 || IsReplyInThread(db, obj.InReplyTo[0].Id, e.Id)){ - query := fmt.Sprintf("insert into replies (id, inreplyto) values ('%s', '%s')", obj.Id, e.Id) - _, err := db.Exec(query) + query := `insert into replies (id, inreplyto) values ($1, $2)` + + _, err := db.Exec(query, obj.Id, e.Id) if err != nil{ fmt.Println("error inserting replies") @@ -214,14 +217,15 @@ func WriteWalletToDB(db *sql.DB, obj ObjectBase) { for _, e := range obj.Option { if e == "wallet" { for _, e := range obj.Wallet { - query := fmt.Sprintf("insert into wallet (id, type, address) values ('%s', '%s', '%s')", obj.Id ,e.Type, e.Address) - _, err := db.Exec(query) + query := `insert into wallet (id, type, address) values ($1, $2, $3)` + + _, err := db.Exec(query, obj.Id ,e.Type, e.Address) CheckError(err, "error with write wallet query") } return } - } + } } func writeActivitytoDB(db *sql.DB, obj ObjectBase) { @@ -229,10 +233,10 @@ func writeActivitytoDB(db *sql.DB, obj ObjectBase) { obj.Name = EscapeString(obj.Name) obj.Content = EscapeString(obj.Content) obj.AttributedTo = EscapeString(obj.AttributedTo) - - query := fmt.Sprintf("insert into activitystream (id, type, name, content, published, updated, attributedto, actor) values ('%s', '%s', E'%s', E'%s', '%s', '%s', E'%s', '%s')", obj.Id ,obj.Type, obj.Name, obj.Content, obj.Published, obj.Updated, obj.AttributedTo, obj.Actor.Id) - _, e := db.Exec(query) + query := `insert into activitystream (id, type, name, content, published, updated, attributedto, actor) values ($1, $2, $3, $4, $5, $6, $7, $8)` + + _, e := db.Exec(query, obj.Id ,obj.Type, obj.Name, obj.Content, obj.Published, obj.Updated, obj.AttributedTo, obj.Actor.Id) if e != nil{ fmt.Println("error inserting new activity") @@ -245,10 +249,10 @@ func writeActivitytoDBWithAttachment(db *sql.DB, obj ObjectBase, attachment Obje obj.Name = EscapeString(obj.Name) obj.Content = EscapeString(obj.Content) obj.AttributedTo = EscapeString(obj.AttributedTo) - - query := fmt.Sprintf("insert into activitystream (id, type, name, content, attachment, preview, published, updated, attributedto, actor) values ('%s', '%s', E'%s', E'%s', '%s', '%s', '%s', '%s', E'%s', '%s')", obj.Id ,obj.Type, obj.Name, obj.Content, attachment.Id, preview.Id, obj.Published, obj.Updated, obj.AttributedTo, obj.Actor.Id) - _, e := db.Exec(query) + query := `insert into activitystream (id, type, name, content, attachment, preview, published, updated, attributedto, actor) values ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)` + + _, e := db.Exec(query, obj.Id ,obj.Type, obj.Name, obj.Content, attachment.Id, preview.Id, obj.Published, obj.Updated, obj.AttributedTo, obj.Actor.Id) if e != nil{ fmt.Println("error inserting new activity with attachment") @@ -257,9 +261,9 @@ func writeActivitytoDBWithAttachment(db *sql.DB, obj ObjectBase, attachment Obje } func writeAttachmentToDB(db *sql.DB, obj ObjectBase) { - query := fmt.Sprintf("insert into activitystream (id, type, name, href, published, updated, attributedTo, mediatype, size) values ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%d');", obj.Id ,obj.Type, obj.Name, obj.Href, obj.Published, obj.Updated, obj.AttributedTo, obj.MediaType, obj.Size) + query := `insert into activitystream (id, type, name, href, published, updated, attributedTo, mediatype, size) values ($1, $2, $3, $4, $5, $6, $7, $8, $9)` - _, e := db.Exec(query) + _, e := db.Exec(query, obj.Id ,obj.Type, obj.Name, obj.Href, obj.Published, obj.Updated, obj.AttributedTo, obj.MediaType, obj.Size) if e != nil{ fmt.Println("error inserting new attachment") @@ -268,9 +272,9 @@ func writeAttachmentToDB(db *sql.DB, obj ObjectBase) { } func WritePreviewToDB(db *sql.DB, obj NestedObjectBase) { - query := fmt.Sprintf("insert into activitystream (id, type, name, href, published, updated, attributedTo, mediatype, size) values ('%s', '%s', '%s', '%s', '%s', '%s', '%s', '%s', '%d');", obj.Id ,obj.Type, obj.Name, obj.Href, obj.Published, obj.Updated, obj.AttributedTo, obj.MediaType, obj.Size) + query := `insert into activitystream (id, type, name, href, published, updated, attributedTo, mediatype, size) values ($1, $2, $3, $4, $5, $6, $7, $8, $9)` - _, e := db.Exec(query) + _, e := db.Exec(query, obj.Id ,obj.Type, obj.Name, obj.Href, obj.Published, obj.Updated, obj.AttributedTo, obj.MediaType, obj.Size) if e != nil{ fmt.Println("error inserting new attachment") @@ -282,9 +286,9 @@ func GetActivityFromDB(db *sql.DB, id string) Collection { var nColl Collection var result []ObjectBase - query := fmt.Sprintf("SELECT actor, id, name, content, type, published, updated, attributedto, attachment, preview, actor FROM activitystream WHERE id='%s' ORDER BY updated asc;", id) + query := `select actor, id, name, content, type, published, updated, attributedto, attachment, preview, actor from activitystream where id=$1 order by updated asc` - rows, err := db.Query(query) + rows, err := db.Query(query, id) CheckError(err, "error query object from db") @@ -321,9 +325,9 @@ func GetObjectFromDB(db *sql.DB, actor Actor) Collection { var nColl Collection var result []ObjectBase - query := fmt.Sprintf("SELECT id, name, content, type, published, updated, attributedto, attachment, preview, actor FROM activitystream WHERE actor='%s' AND id IN (SELECT id FROM replies WHERE inreplyto='') AND type='Note' ORDER BY updated asc;", actor.Id) + query := `select id, name, content, type, published, updated, attributedto, attachment, preview, actor from activitystream where actor=$1 and id in (select id from replies where inreplyto='') and type='Note' order by updated asc` - rows, err := db.Query(query) + rows, err := db.Query(query, actor.Id) CheckError(err, "error query object from db") @@ -359,9 +363,9 @@ func GetObjectFromDB(db *sql.DB, actor Actor) Collection { func GetInReplyToDB(db *sql.DB, parent ObjectBase) []ObjectBase { var result []ObjectBase - query := fmt.Sprintf("SELECT inreplyto FROM replies WHERE id ='%s'", parent.Id) + query := `select inreplyto from replies where id =$1` - rows, err := db.Query(query) + rows, err := db.Query(query, parent.Id) CheckError(err, "error with inreplyto db query") @@ -382,10 +386,10 @@ func GetObjectRepliesDB(db *sql.DB, parent ObjectBase) *CollectionBase { var nColl CollectionBase var result []ObjectBase - - query := fmt.Sprintf("SELECT id, name, content, type, published, attributedto, attachment, preview, actor FROM activitystream WHERE id IN (SELECT id FROM replies WHERE inreplyto='%s') AND type='Note' ORDER BY published asc;", parent.Id) - rows, err := db.Query(query) + query := `select id, name, content, type, published, attributedto, attachment, preview, actor from activitystream WHERE id in (select id from replies where inreplyto=$1) and type='Note' order by published asc` + + rows, err := db.Query(query, parent.Id) CheckError(err, "error with replies db query") @@ -431,10 +435,10 @@ func GetObjectRepliesDB(db *sql.DB, parent ObjectBase) *CollectionBase { func GetObjectRepliesRemote(db *sql.DB, parent ObjectBase) CollectionBase { var nColl CollectionBase - var result []ObjectBase - query := fmt.Sprintf("select id from replies where id not in (select id from activitystream) and inreplyto='%s'", parent.Id) + var result []ObjectBase + query := `select id from replies where id not in (select id from activitystream) and inreplyto=$1` - rows, err := db.Query(query) + rows, err := db.Query(query, parent.Id) CheckError(err, "could not get remote id query") @@ -460,9 +464,9 @@ func GetObjectRepliesRepliesDB(db *sql.DB, parent ObjectBase) *CollectionBase { var nColl CollectionBase var result []ObjectBase - query := fmt.Sprintf("SELECT id, name, content, type, published, attributedto, attachment, preview, actor FROM activitystream WHERE id IN (SELECT id FROM replies WHERE inreplyto='%s') AND type='Note' ORDER BY published asc;", parent.Id) + query := `select id, name, content, type, published, attributedto, attachment, preview, actor from activitystream where id in (select id from replies where inreplyto=$1) and type='Note' order by published asc` - rows, err := db.Query(query) + rows, err := db.Query(query, parent.Id) CheckError(err, "error with replies replies db query") @@ -506,36 +510,26 @@ func GetObjectRepliesDBCount(db *sql.DB, parent ObjectBase) (int, int) { var countId int var countImg int + + query := `select count(id) from replies where inreplyto=$1 and id in (select id from activitystream where type='Note')` - query := fmt.Sprintf("SELECT COUNT(id) FROM replies WHERE inreplyto ='%s' and id in (select id from activitystream where type='Note');", parent.Id) - - rows, err := db.Query(query) + rows, err := db.Query(query, parent.Id) CheckError(err, "error with replies count db query") defer rows.Close() - for rows.Next() { - err = rows.Scan(&countId) - - if err !=nil{ - fmt.Println("error with replies count db scan") - } - } + rows.Next() + rows.Scan(&countId) - query = fmt.Sprintf("SELECT COUNT(attachment) FROM activitystream WHERE id IN (SELECT id FROM replies WHERE inreplyto ='%s') AND attachment != '';", parent.Id) + query = `select count(attachment) from activitystream where id in (select id from replies where inreplyto=$1) and attachment != ''` - rows, err = db.Query(query) + rows, err = db.Query(query, parent.Id) CheckError(err, "error with select attachment count db query") defer rows.Close() - for rows.Next() { - err = rows.Scan(&countImg) - - if err !=nil{ - fmt.Println("error with replies count db scan") - } - } + rows.Next() + rows.Scan(&countImg) return countId, countImg } @@ -543,10 +537,10 @@ func GetObjectRepliesDBCount(db *sql.DB, parent ObjectBase) (int, int) { func GetObjectAttachment(db *sql.DB, id string) []ObjectBase { var attachments []ObjectBase - - query := fmt.Sprintf("SELECT id, type, name, href, mediatype, size, published FROM activitystream WHERE id='%s'", id) - rows, err := db.Query(query) + query := `select id, type, name, href, mediatype, size, published from activitystream where id=$1` + + rows, err := db.Query(query, id) CheckError(err, "could not select object attachment query") @@ -569,10 +563,10 @@ func GetObjectAttachment(db *sql.DB, id string) []ObjectBase { func GetObjectPreview(db *sql.DB, id string) *NestedObjectBase { var preview NestedObjectBase - - query := fmt.Sprintf("SELECT id, type, name, href, mediatype, size, published FROM activitystream WHERE id='%s'", id) - rows, err := db.Query(query) + query := `select id, type, name, href, mediatype, size, published from activitystream where id=$1` + + rows, err := db.Query(query, id) CheckError(err, "could not select object preview query") @@ -587,9 +581,9 @@ func GetObjectPreview(db *sql.DB, id string) *NestedObjectBase { func GetObjectPostsTotalDB(db *sql.DB, actor Actor) int{ count := 0 - query := fmt.Sprintf("SELECT COUNT(id) FROM activitystream WHERE actor='%s' AND id IN (SELECT id FROM replies WHERE inreplyto='' AND type='Note');", actor.Id) + query := `select count(id) from activitystream where actor=$1 and id in (select id from replies where inreplyto='' and type='Note')` - rows, err := db.Query(query) + rows, err := db.Query(query, actor.Id) CheckError(err, "could not select post total count query") @@ -605,9 +599,9 @@ func GetObjectPostsTotalDB(db *sql.DB, actor Actor) int{ func GetObjectImgsTotalDB(db *sql.DB, actor Actor) int{ count := 0 - query := fmt.Sprintf("SELECT COUNT(attachment) FROM activitystream WHERE actor='%s' AND id IN (SELECT id FROM replies WHERE inreplyto='' AND type='Note' );", actor.Id) + query := `select count(attachment) from activitystream where actor=$1 and id in (select id from replies where inreplyto='' and type='Note' )` - rows, err := db.Query(query) + rows, err := db.Query(query, actor.Id) CheckError(err, "error with posts total db query") @@ -622,11 +616,13 @@ func GetObjectImgsTotalDB(db *sql.DB, actor Actor) int{ } -func DeleteAttachmentFromFile(db *sql.DB, id string) { - - var query = fmt.Sprintf("select href, type from activitystream where id in (select attachment from activitystream where id='%s')", id) - rows, err := db.Query(query) +func DeletePreviewFromFile(db *sql.DB, id string) { + + var query = `select href, type from activitystream where id in (select preview from activitystream where id=$1)` + // var query = fmt.Sprintf("select href, type from activitystream where id in (select attachment from activitystream where id='%s')", id) + + rows, err := db.Query(query, id) CheckError(err, "error query delete attachment") @@ -635,13 +631,13 @@ func DeleteAttachmentFromFile(db *sql.DB, id string) { var href string var _type string err := rows.Scan(&href, &_type) + fmt.Println(href) href = strings.Replace(href, Domain + "/", "", 1) - + fmt.Println(href) CheckError(err, "error scanning delete attachment") if _type != "Tombstone" { _, err = os.Stat(href) - CheckError(err, "err removing file from system") if err == nil { os.Remove(href) } @@ -649,14 +645,65 @@ func DeleteAttachmentFromFile(db *sql.DB, id string) { } + DeletePreviewFromDB(db, id) +} + +func DeleteAttachmentFromFile(db *sql.DB, id string) { + + var query = `select href, type from activitystream where id in (select attachment from activitystream where id=$1)` + // var query = fmt.Sprintf("select href, type from activitystream where id in (select attachment from activitystream where id='%s')", id) + + rows, err := db.Query(query, id) + + CheckError(err, "error query delete attachment") + + defer rows.Close() + for rows.Next() { + var href string + var _type string + + err := rows.Scan(&href, &_type) + href = strings.Replace(href, Domain + "/", "", 1) + + CheckError(err, "error scanning delete preview") + + if _type != "Tombstone" { + _, err = os.Stat(href) + if err == nil { + os.Remove(href) + } + } + } + DeleteAttachmentFromDB(db, id) } +func DeletePreviewRepliesFromDB(db *sql.DB, id string) { + var query = `select id from activitystream where id in (select id from replies where inreplyto=$1)` + // var query = fmt.Sprintf("select id from activitystream where id (select id from replies where inreplyto='%s');", id) + + rows, err := db.Query(query, id) + + CheckError(err, "error query delete preview replies") + + defer rows.Close() + for rows.Next() { + var attachment string + + err := rows.Scan(&attachment) + + CheckError(err, "error scanning delete preview") + + DeletePreviewFromFile(db, attachment) + } +} + func DeleteAttachmentRepliesFromDB(db *sql.DB, id string) { - var query = fmt.Sprintf("select id from activitystream where id (select id from replies where inreplyto='%s');", id) + var query = `select id from activitystream where id in (select id from replies where inreplyto=$1)` + // var query = fmt.Sprintf("select id from activitystream where id (select id from replies where inreplyto='%s');", id) - rows, err := db.Query(query) + rows, err := db.Query(query, id) CheckError(err, "error query delete attachment replies") @@ -676,29 +723,61 @@ func DeleteAttachmentRepliesFromDB(db *sql.DB, id string) { func DeleteAttachmentFromDB(db *sql.DB, id string) { datetime := time.Now().Format(time.RFC3339) - var query = fmt.Sprintf("update activitystream set type='Tombstone', mediatype='image/png', href='%s', name='', content='', attributedto='deleted', updated='%s', deleted='%s' where id in (select attachment from activitystream where id='%s');", Domain + "/public/removed.png", datetime, datetime, id) + var query = `update activitystream set type='Tombstone', mediatype='image/png', href=$1, name='', content='', attributedto='deleted', updated=$2, deleted=$3 where id in (select attachment from activitystream where id=$4)` + // var query = fmt.Sprintf("update activitystream set type='Tombstone', mediatype='image/png', href='%s', name='', content='', attributedto='deleted', updated='%s', deleted='%s' where id in (select attachment from activitystream where id='%s');", Domain + "/public/removed.png", datetime, datetime, id) - _, err := db.Exec(query) + _, err := db.Exec(query, Domain + "/public/removed.png", datetime, datetime, id) CheckError(err, "error with delete attachment") } +func DeletePreviewFromDB(db *sql.DB, id string) { + datetime := time.Now().Format(time.RFC3339) + + var query = `update activitystream set type='Tombstone', mediatype='image/png', href=$1, name='', content='', attributedto='deleted', updated=$2, deleted=$3 where id in (select preview from activitystream where id=$4)` + // var query = fmt.Sprintf("update activitystream set type='Tombstone', mediatype='image/png', href='%s', name='', content='', attributedto='deleted', updated='%s', deleted='%s' where id in (select attachment from activitystream where id='%s');", Domain + "/public/removed.png", datetime, datetime, id) + + _, err := db.Exec(query, Domain + "/public/removed.png", datetime, datetime, id) + + CheckError(err, "error with delete preview") +} + +func DeleteObjectRepliedTo(db *sql.DB, id string){ + query := `delete from replies where id=$1` + _, err := db.Exec(query, id) + + CheckError(err, "error with delete object replies") +} + func DeleteObjectFromDB(db *sql.DB, id string) { datetime := time.Now().Format(time.RFC3339) - var query = fmt.Sprintf("update activitystream set type='Tombstone', name='', content='', attributedto='deleted', updated='%s', deleted='%s' where id='%s';", datetime, datetime, id) + var query = `update activitystream set type='Tombstone', name='', content='', attributedto='deleted', updated=$1, deleted=$2 where id=$3` + // var query = fmt.Sprintf("update activitystream set type='Tombstone', name='', content='', attributedto='deleted', updated='%s', deleted='%s' where id='%s';", datetime, datetime, id) - _, err := db.Exec(query) + _, err := db.Exec(query, datetime, datetime, id) - CheckError(err, "error with delete object") + CheckError(err, "error with delete object") + DeleteObjectsInReplyTo(db, id) + DeleteObjectRepliedTo(db, id) +} + +func DeleteObjectsInReplyTo(db *sql.DB, id string) { + query := `delete from replies where id in (select id from replies where inreplyto=$1)` + + _, err := db.Exec(query, id) + + CheckError(err, "error with delete object replies to") } func DeleteObjectRepliesFromDB(db *sql.DB, id string) { - datetime := time.Now().Format(time.RFC3339) - var query = fmt.Sprintf("update activitystream set type='Tombstone', name='', content='', attributedto='deleted' updated='%s', deleted='%s' where id in (select id from replies where inreplyto='%s');", datetime, datetime, id) + datetime := time.Now().Format(time.RFC3339) + + var query = `update activitystream set type='Tombstone', name='', content='', attributedto='deleted', updated=$1, deleted=$2 where id in (select id from replies where inreplyto=$3)` + // var query = fmt.Sprintf("update activitystream set type='Tombstone', name='', content='', attributedto='deleted' updated='%s', deleted='%s' where id in (select id from replies where inreplyto='%s');", datetime, datetime, id) - _, err := db.Exec(query) - CheckError(err, "error with delete object replies") + _, err := db.Exec(query, datetime, datetime, id) + CheckError(err, "error with delete object replies") } func DeleteObject(db *sql.DB, id string) { @@ -706,10 +785,12 @@ func DeleteObject(db *sql.DB, id string) { if(!IsIDLocal(db, id)) { return } - - DeleteObjectFromDB(db, id) + + DeleteReportActivity(db, id) - DeleteAttachmentFromFile(db, id) + DeleteAttachmentFromFile(db, id) + DeletePreviewFromFile(db, id) + DeleteObjectFromDB(db, id) } func DeleteObjectAndReplies(db *sql.DB, id string) { @@ -717,16 +798,19 @@ func DeleteObjectAndReplies(db *sql.DB, id string) { if(!IsIDLocal(db, id)) { return } - - DeleteObjectFromDB(db, id) + DeleteReportActivity(db, id) - DeleteAttachmentFromFile(db, id) + DeleteAttachmentFromFile(db, id) + DeletePreviewFromFile(db, id) DeleteObjectRepliesFromDB(db, id) DeleteAttachmentRepliesFromDB(db, id) + DeletePreviewRepliesFromDB(db, id) + DeleteObjectFromDB(db, id) } func GetRandomCaptcha(db *sql.DB) string{ - query := fmt.Sprintf("select identifier from verification where type='captcha' order by random() limit 1") + query := `select identifier from verification where type='captcha' order by random() limit 1` + rows, err := db.Query(query) CheckError(err, "could not get captcha") @@ -744,7 +828,8 @@ func GetRandomCaptcha(db *sql.DB) string{ } func GetCaptchaTotal(db *sql.DB) int{ - query := fmt.Sprintf("select count(*) from verification where type='captcha'") + query := `select count(*) from verification where type='captcha'` + rows, err := db.Query(query) CheckError(err, "could not get query captcha total") @@ -762,9 +847,10 @@ func GetCaptchaTotal(db *sql.DB) int{ } func GetCaptchaCodeDB(db *sql.DB, verify string) string { - - query := fmt.Sprintf("select code from verification where identifier='%s' limit 1", verify) - rows, err := db.Query(query) + + query := `select code from verification where identifier=$1 limit 1` + + rows, err := db.Query(query, verify) CheckError(err, "could not get captcha verifciation") @@ -781,9 +867,9 @@ func GetCaptchaCodeDB(db *sql.DB, verify string) string { } func GetActorAuth(db *sql.DB, actor string) []string { - query := fmt.Sprintf("select type from actorauth where board='%s'", actor) + query := `select type from actorauth where board=$1` - rows, err := db.Query(query) + rows, err := db.Query(query, actor) CheckError(err, "could not get actor auth") @@ -804,9 +890,9 @@ func GetActorAuth(db *sql.DB, actor string) []string { } func DeleteCaptchaCodeDB(db *sql.DB, verify string) { - query := fmt.Sprintf("delete from verification where identifier='%s'", verify) + query := `delete from verification where identifier=$1` - _, err := db.Exec(query); + _, err := db.Exec(query, verify) CheckError(err, "could not delete captcah code db") @@ -818,15 +904,14 @@ func EscapeString(text string) string { text = re.ReplaceAllString(text, "I love black people") re = regexp.MustCompile("(?i)(n)+(\\s+)?(i)+(\\s+)?(g)(\\s+)?(g)+(\\s+)?") text = re.ReplaceAllString(text, "I love black people") - text = strings.Replace(text, "'", `''`, -1) text = strings.Replace(text, "<", "<", -1) return text } func GetActorReportedTotal(db *sql.DB, id string) int { - query := fmt.Sprintf("select count(id) from reported where board='%s'", id) + query := `select count(id) from reported where board=$1` - rows, err := db.Query(query) + rows, err := db.Query(query, id) CheckError(err, "error getting actor reported total query") @@ -843,9 +928,9 @@ func GetActorReportedTotal(db *sql.DB, id string) int { func GetActorReportedDB(db *sql.DB, id string) []ObjectBase { var nObj []ObjectBase - query := fmt.Sprintf("select id, count from reported where board='%s'", id) + query := `select id, count from reported where board=$1` - rows, err := db.Query(query) + rows, err := db.Query(query, id) CheckError(err, "error getting actor reported query") diff --git a/Follow.go b/Follow.go index 475417b..8fc6200 100644 --- a/Follow.go +++ b/Follow.go @@ -1,6 +1,5 @@ package main -import "fmt" import "net/http" import "database/sql" import _ "github.com/lib/pq" @@ -44,10 +43,10 @@ func SetActorFollowDB(db *sql.DB, activity Activity, actor string) Activity { } } if alreadyFollow { - query = fmt.Sprintf("delete from following where id='%s' and following='%s'", activity.Actor.Id, activity.Object.Id) + query = `delete from following where id=$1 and following=$2` activity.Summary = activity.Actor.Id + " Unfollow " + activity.Object.Id } else { - query = fmt.Sprintf("insert into following (id, following) values ('%s', '%s')", activity.Actor.Id, activity.Object.Id) + query = `insert into following (id, following) values ($1, $2)` activity.Summary = activity.Actor.Id + " Follow " + activity.Object.Id } } else { @@ -57,15 +56,15 @@ func SetActorFollowDB(db *sql.DB, activity Activity, actor string) Activity { } } if alreadyFollow { - query = fmt.Sprintf("delete from follower where id='%s' and follower='%s'", activity.Object.Id, activity.Actor.Id) + query = `delete from follower where id=$1 and follower=$2` activity.Summary = activity.Actor.Id + " Unfollow " + activity.Object.Id } else { - query = fmt.Sprintf("insert into follower (id, follower) values ('%s', '%s')", activity.Object.Id, activity.Actor.Id) + query = `insert into follower (id, follower) values ($1, $2)` activity.Summary = activity.Actor.Id + " Follow " + activity.Object.Id } } - _, err := db.Exec(query) + _, err := db.Exec(query, activity.Actor.Id, activity.Object.Id) CheckError(err, "error with follow db insert/delete") @@ -76,9 +75,9 @@ func GetActorFollowDB(db *sql.DB, id string) ([]ObjectBase, []ObjectBase) { var followingCollection []ObjectBase var followerCollection []ObjectBase - query := fmt.Sprintf("SELECT following FROM following WHERE id='%s'", id) + query := `select following from following where id=$1` - rows, err := db.Query(query) + rows, err := db.Query(query, id) CheckError(err, "error with following db query") @@ -94,9 +93,9 @@ func GetActorFollowDB(db *sql.DB, id string) ([]ObjectBase, []ObjectBase) { followingCollection = append(followingCollection, obj) } - query = fmt.Sprintf("SELECT follower FROM follower WHERE id='%s'", id) + query = `select follower from follower where id=$1` - rows, err = db.Query(query) + rows, err = db.Query(query, id) CheckError(err, "error with followers db query") @@ -119,9 +118,9 @@ func GetActorFollowTotal(db *sql.DB, id string) (int, int) { var following int var followers int - query := fmt.Sprintf("SELECT COUNT(following) FROM following WHERE id='%s'", id) + query := `select count(following) from following where id=$1` - rows, err := db.Query(query) + rows, err := db.Query(query, id) CheckError(err, "error with following total db query") @@ -133,9 +132,9 @@ func GetActorFollowTotal(db *sql.DB, id string) (int, int) { CheckError(err, "error with following total db scan") } - query = fmt.Sprintf("SELECT COUNT(follower) FROM follower WHERE id='%s'", id) + query = `select count(follower) from follower where id=$1` - rows, err = db.Query(query) + rows, err = db.Query(query, id) CheckError(err, "error with followers total db query") @@ -202,14 +201,14 @@ func SetActorFollowingDB(db *sql.DB, activity Activity) Activity{ } if alreadyFollow { - query = fmt.Sprintf("delete from follower where id='%s' and follower='%s'", activity.Object.Id, activity.Actor.Id) + query = `delete from follower where id=$1 and follower=$2` activity.Summary = activity.Actor.Id + " Unfollow " + activity.Object.Id } else { - query = fmt.Sprintf("insert into follower (id, follower) values ('%s', '%s')", activity.Object.Id, activity.Actor.Id) + query = `insert into follower (id, follower) values ($1, $2)` activity.Summary = activity.Actor.Id + " Follow " + activity.Object.Id } - _, err := db.Exec(query) + _, err := db.Exec(query, activity.Object.Id, activity.Actor.Id) if err != nil { CheckError(err, "error with follow db insert/delete") diff --git a/OutboxPost.go b/OutboxPost.go index 9d39eff..dacf77e 100644 --- a/OutboxPost.go +++ b/OutboxPost.go @@ -107,10 +107,12 @@ func ParseOutboxRequest(w http.ResponseWriter, r *http.Request, db *sql.DB) { verification := GetVerificationByCode(db, activity.Auth) var rActivity Activity - + fmt.Println("ok") if validActor && validLocalActor && verification.Board == activity.Actor.Id || verification.Board == Domain { + fmt.Println("yes") rActivity = AcceptFollow(activity, actor) } else { + fmt.Println("no") rActivity = RejectFollow(activity, actor) rActivity.Summary = "No valid actor or Actor is not located here" } @@ -506,7 +508,6 @@ func CheckCaptcha(db *sql.DB, captcha string) bool { func ParseInboxRequest(w http.ResponseWriter, r *http.Request, db *sql.DB) { activity := GetActivityFromJson(r, db) - switch(activity.Type) { case "Create": for _, e := range activity.Object.InReplyTo { diff --git a/main.go b/main.go index 9de7e60..efc0b38 100644 --- a/main.go +++ b/main.go @@ -52,7 +52,8 @@ func main() { if GetConfigValue("instancename") != "" { CreateNewBoardDB(db, *CreateNewActor("", GetConfigValue("instancename"), GetConfigValue("instancesummary"), authReq, false)) } - + + CreateNewBoardDB(db, *CreateNewActor("m", "me", "me so go go", authReq, false)) // Allow access to public media folder fileServer := http.FileServer(http.Dir("./public")) @@ -219,8 +220,15 @@ func main() { return } - id := values - DeleteObject(db, id) + var obj ObjectBase + obj.Id = values + + count, _ := GetObjectRepliesDBCount(db, obj) + if count == 0 { + DeleteObject(db, obj.Id) + } else { + DeleteObjectAndReplies(db, obj.Id) + } w.Write([]byte("")) }) @@ -248,6 +256,7 @@ func main() { id := values DeleteAttachmentFromFile(db, id) + DeletePreviewFromFile(db, id) w.Write([]byte("")) }) @@ -258,7 +267,6 @@ func main() { header := r.Header.Get("Authorization") auth := strings.Split(header, " ") - if close == "1" { if !IsIDLocal(db, id) || len(auth) < 2 { w.WriteHeader(http.StatusBadRequest) @@ -266,6 +274,8 @@ func main() { return } + + actor := GetActorFromPath(db, id, "/") if !HasAuth(db, auth[1], actor.Id) { @@ -584,7 +594,7 @@ func CreatePreviewObject(obj ObjectBase) *NestedObjectBase { objFile := re.FindString(obj.Href) - cmd := exec.Command("convert", "." + objFile ,"-resize", "250x250", "." + href) + cmd := exec.Command("convert", "." + objFile ,"-resize", "250x250>", "." + href) err := cmd.Run() diff --git a/outboxGet.go b/outboxGet.go index 1747165..665ca05 100644 --- a/outboxGet.go +++ b/outboxGet.go @@ -1,6 +1,5 @@ package main -import "fmt" import "net/http" import "database/sql" import _ "github.com/lib/pq" @@ -17,7 +16,7 @@ func GetActorOutbox(w http.ResponseWriter, r *http.Request, db *sql.DB) { collection.Actor = actor.Id collection.TotalItems = GetObjectPostsTotalDB(db, actor) - collection.TotalImgs = GetObjectImgsTotalDB(db, actor) + collection.TotalImgs = GetObjectImgsTotalDB(db, actor) enc, _ := json.MarshalIndent(collection, "", "\t") w.Header().Set("Content-Type", "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") @@ -47,9 +46,9 @@ func GetCollectionFromPath(db *sql.DB, path string) Collection { var nColl Collection var result []ObjectBase - query := fmt.Sprintf("SELECT id, name, content, type, published, attributedto, attachment, preview, actor FROM activitystream WHERE id='%s' ORDER BY published desc;", path) + query := `select id, name, content, type, published, attributedto, attachment, preview, actor from activitystream where id=$1 order by published desc` - rows, err := db.Query(query) + rows, err := db.Query(query, path) CheckError(err, "error query collection path from db") @@ -92,9 +91,9 @@ func GetObjectFromPath(db *sql.DB, path string) ObjectBase{ var nObj ObjectBase var result []ObjectBase - query := fmt.Sprintf("SELECT id, name, content, type, published, attributedto, attachment, preview, actor FROM activitystream WHERE id='%s' ORDER BY published desc;", path) + query := `select id, name, content, type, published, attributedto, attachment, preview, actor from activitystream where id=$1 order by published desc` - rows, err := db.Query(query) + rows, err := db.Query(query, path) CheckError(err, "error query collection path from db") diff --git a/verification.go b/verification.go index c8d46be..b1ebe13 100644 --- a/verification.go +++ b/verification.go @@ -24,9 +24,9 @@ type VerifyCooldown struct { } func DeleteBoardMod(db *sql.DB, verify Verify) { - query := fmt.Sprintf("select code from boardaccess where identifier='%s' and board='%s'", verify.Identifier, verify.Board) + query := `select code from boardaccess where identifier=$1 and board=$1` - rows, err := db.Query(query) + rows, err := db.Query(query, verify.Identifier, verify.Board) CheckError(err, "could not select code from boardaccess") @@ -37,16 +37,15 @@ func DeleteBoardMod(db *sql.DB, verify Verify) { rows.Scan(&code) if code != "" { - query := fmt.Sprintf("delete from crossverification where code='%s'", code) - - - _, err := db.Exec(query) + query := `delete from crossverification where code=$1` + + _, err := db.Exec(query, code) CheckError(err, "could not delete code from crossverification") - query = fmt.Sprintf("delete from boardaccess where identifier='%s' and board='%s'", verify.Identifier, verify.Board) + query = `delete from boardaccess where identifier=$1 and board=$2` - _, err = db.Exec(query) + _, err = db.Exec(query, verify.Identifier, verify.Board) CheckError(err, "could not delete identifier from boardaccess") } @@ -55,9 +54,9 @@ func DeleteBoardMod(db *sql.DB, verify Verify) { func GetBoardMod(db *sql.DB, identifier string) Verify{ var nVerify Verify - query := fmt.Sprintf("select code, board, type, identifier from boardaccess where identifier='%s'", identifier) + query := `select code, board, type, identifier from boardaccess where identifier=$1` - rows, err := db.Query(query) + rows, err := db.Query(query, identifier) CheckError(err, "could not select boardaccess query") @@ -72,9 +71,9 @@ func GetBoardMod(db *sql.DB, identifier string) Verify{ func CreateBoardMod(db *sql.DB, verify Verify) { pass := CreateKey(50) - query := fmt.Sprintf("select code from verification where identifier='%s' and type='%s'", verify.Board, verify.Type) + query := `select code from verification where identifier=$1 and type=$2` - rows, err := db.Query(query) + rows, err := db.Query(query, verify.Board, verify.Type) CheckError(err, "could not select verifcaiton query") @@ -87,9 +86,9 @@ func CreateBoardMod(db *sql.DB, verify Verify) { if code != "" { - query := fmt.Sprintf("select identifier from boardaccess where identifier='%s' and board='%s'", verify.Identifier, verify.Board) + query := `select identifier from boardaccess where identifier=$1 and board=$2` - rows, err := db.Query(query) + rows, err := db.Query(query, verify.Identifier, verify.Board) CheckError(err, "could not select idenifier from boardaccess") @@ -101,15 +100,15 @@ func CreateBoardMod(db *sql.DB, verify Verify) { if ident != verify.Identifier { - query := fmt.Sprintf("insert into crossverification (verificationcode, code) values ('%s', '%s')", code, pass) + query := `insert into crossverification (verificationcode, code) values ($1, $2)` - _, err := db.Exec(query) + _, err := db.Exec(query, code, pass) CheckError(err, "could not insert new crossverification") - query = fmt.Sprintf("insert into boardaccess (identifier, code, board, type) values ('%s', '%s', '%s', '%s')", verify.Identifier, pass, verify.Board, verify.Type) + query = `insert into boardaccess (identifier, code, board, type) values ($1, $2, $3, $4)` - _, err = db.Exec(query) + _, err = db.Exec(query, verify.Identifier, pass, verify.Board, verify.Type) CheckError(err, "could not insert new boardaccess") @@ -119,9 +118,9 @@ func CreateBoardMod(db *sql.DB, verify Verify) { } func CreateVerification(db *sql.DB, verify Verify) { - query := fmt.Sprintf("insert into verification (type, identifier, code, created) values ('%s', '%s', '%s', '%s') ", verify.Type, verify.Identifier, verify.Code, time.Now().Format(time.RFC3339)) + query := `insert into verification (type, identifier, code, created) values ($1, $2, $3, $4)` - _, err := db.Exec(query) + _, err := db.Exec(query, verify.Type, verify.Identifier, verify.Code, time.Now().Format(time.RFC3339)) CheckError(err, "error creating verify") } @@ -129,9 +128,9 @@ func CreateVerification(db *sql.DB, verify Verify) { func GetVerificationByEmail(db *sql.DB, email string) Verify { var verify Verify - query := fmt.Sprintf("select type, identifier, code, board from boardaccess where identifier='%s';", email) + query := `select type, identifier, code, board from boardaccess where identifier=$1` - rows, err := db.Query(query) + rows, err := db.Query(query, email) defer rows.Close() @@ -151,9 +150,9 @@ func GetVerificationByEmail(db *sql.DB, email string) Verify { func GetVerificationByCode(db *sql.DB, code string) Verify { var verify Verify - query := fmt.Sprintf("select type, identifier, code, board from boardaccess where code='%s';", code) + query := `select type, identifier, code, board from boardaccess where code=$1` - rows, err := db.Query(query) + rows, err := db.Query(query, code) defer rows.Close() @@ -173,18 +172,18 @@ func GetVerificationByCode(db *sql.DB, code string) Verify { func VerifyCooldownCurrent(db *sql.DB, auth string) VerifyCooldown { var current VerifyCooldown - - query := fmt.Sprintf("select identifier, code, time from verificationcooldown where code='%s'", auth) - rows, err := db.Query(query) + query := `select identifier, code, time from verificationcooldown where code=$1` + + rows, err := db.Query(query, auth) defer rows.Close() if err != nil { - query := fmt.Sprintf("select identifier, code, time from verificationcooldown where identifier='%s'", auth) + query := `select identifier, code, time from verificationcooldown where identifier=$1` - rows, err := db.Query(query) + rows, err := db.Query(query, auth) defer rows.Close() @@ -213,16 +212,16 @@ func VerifyCooldownCurrent(db *sql.DB, auth string) VerifyCooldown { } func VerifyCooldownAdd(db *sql.DB, verify Verify) { - query := fmt.Sprintf("insert into verficationcooldown (identifier, code) values ('%s', '%s');", verify.Identifier, verify.Code) + query := `insert into verficationcooldown (identifier, code) values ($1, $2)` - _, err := db.Exec(query) + _, err := db.Exec(query, verify.Identifier, verify.Code) CheckError(err, "error adding verify to cooldown") } func VerficationCooldown(db *sql.DB) { - - query := fmt.Sprintf("select identifier, code, time from verificationcooldown") + + query := `select identifier, code, time from verificationcooldown` rows, err := db.Query(query) @@ -240,9 +239,9 @@ func VerficationCooldown(db *sql.DB) { nTime := verify.Time - 1; - query = fmt.Sprintf("update set time='%s' where identifier='%s'", nTime, verify.Identifier) + query = `update set time=$1 where identifier=$2` - _, err := db.Exec(query) + _, err := db.Exec(query, nTime, verify.Identifier) CheckError(err, "error with update cooldown query") @@ -251,7 +250,7 @@ func VerficationCooldown(db *sql.DB) { } func VerficationCooldownRemove(db *sql.DB) { - query := fmt.Sprintf("delete from verificationcooldown where time < 1;") + query := `delete from verificationcooldown where time < 1` _, err := db.Exec(query) @@ -398,20 +397,18 @@ func CreateNewCaptcha(db *sql.DB){ func CreateBoardAccess(db *sql.DB, verify Verify) { if(!HasBoardAccess(db, verify)){ - query := fmt.Sprintf("insert into boardaccess (identifier, board) values('%s', '%s')", - verify.Identifier, verify.Board) - - _, err := db.Exec(query) + query := `insert into boardaccess (identifier, board) values($1, $2)` + + _, err := db.Exec(query, verify.Identifier, verify.Board) CheckError(err, "could not instert verification and board into board access") } } func HasBoardAccess(db *sql.DB, verify Verify) bool { - query := fmt.Sprintf("select count(*) from boardaccess where identifier='%s' and board='%s'", - verify.Identifier, verify.Board) + query := `select count(*) from boardaccess where identifier=$1 and board=$2` - rows, err := db.Query(query) + rows, err := db.Query(query, verify.Identifier, verify.Board) defer rows.Close() -- cgit v1.2.3