From 26816327ee00bf2615944fcc177f8ac3306f93da Mon Sep 17 00:00:00 2001 From: Gaurav Mishra Date: Mon, 20 May 2024 16:03:50 +0530 Subject: [PATCH] fix(search): check column name before searching Signed-off-by: Gaurav Mishra --- pkg/api/licenses.go | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/pkg/api/licenses.go b/pkg/api/licenses.go index 80383b2..0c5e94d 100644 --- a/pkg/api/licenses.go +++ b/pkg/api/licenses.go @@ -850,7 +850,19 @@ func SearchInLicense(c *gin.Context) { query := db.DB.Model(&license) if input.Search == "fuzzy" { - query = query.Where(fmt.Sprintf("%s ILIKE ?", input.Field), fmt.Sprintf("%%%s%%", input.SearchTerm)) + if !db.DB.Migrator().HasColumn(&models.LicenseDB{}, input.Field) { + er := models.LicenseError{ + Status: http.StatusBadRequest, + Message: fmt.Sprintf("invalid field name '%s'", input.Field), + Error: "field does not exist in the database", + Path: c.Request.URL.Path, + Timestamp: time.Now().Format(time.RFC3339), + } + c.JSON(http.StatusBadRequest, er) + return + } + query = query.Where(fmt.Sprintf("%s ILIKE ?", input.Field), + fmt.Sprintf("%%%s%%", input.SearchTerm)) } else if input.Search == "" || input.Search == "full_text_search" { query = query.Where(input.Field+" @@ plainto_tsquery(?)", input.SearchTerm) } else {