From 903a1654b6607350653df5ad9ce8b59912cf41c9 Mon Sep 17 00:00:00 2001
From: UlricQin <ulric.qin@gmail.com>
Date: Tue, 12 Jan 2021 18:38:12 +0800
Subject: [PATCH] fix sql inject

---
 src/models/node.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/models/node.go b/src/models/node.go
index df9144a5..976230fb 100644
--- a/src/models/node.go
+++ b/src/models/node.go
@@ -411,14 +411,19 @@ func (n *Node) RoleList(username string, limit, offset int) ([]NodeRole, error)
 
 	sql = fmt.Sprintf(sql, n.Id, n.Path+".%")
 
+	var args []interface{}
+
 	if username != "" {
-		sql += fmt.Sprintf(" and node_role.username = '%s'", username)
+		sql += fmt.Sprintf(" and node_role.username = ?")
+		args = append(args, username)
 	}
 
 	sql += " order by node.path limit ? offset ?"
+	args = append(args, limit)
+	args = append(args, offset)
 
 	var objs []NodeRole
-	err := DB["rdb"].SQL(sql, limit, offset).Find(&objs)
+	err := DB["rdb"].SQL(sql, args...).Find(&objs)
 	return objs, err
 }