From 6dbbbac3442b97ca27110c592acc89eb7d1d3883 Mon Sep 17 00:00:00 2001
From: UlricQin <ulric.qin@gmail.com>
Date: Thu, 31 Dec 2020 13:01:43 +0800
Subject: [PATCH] bugfix: insert task_meta sql inject

---
 src/models/task_meta.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/models/task_meta.go b/src/models/task_meta.go
index c41d5526..ca28df45 100644
--- a/src/models/task_meta.go
+++ b/src/models/task_meta.go
@@ -151,8 +151,8 @@ func (m *TaskMeta) Save(hosts []string, action string) error {
 	}
 
 	for _, host := range hosts {
-		sql := fmt.Sprintf("INSERT INTO %s(id, host, status) VALUES(%d, '%s', 'waiting')", tht(id), id, host)
-		if _, err := session.Exec(sql); err != nil {
+		sql := fmt.Sprintf("INSERT INTO %s(id, host, status) VALUES(%d, ?, 'waiting')", tht(id), id)
+		if _, err := session.Exec(sql, host); err != nil {
 			session.Rollback()
 			return err
 		}