From 88e8ea8a6ab5bf0a49b76a6ea43a304e4c122b33 Mon Sep 17 00:00:00 2001
From: deepakrai9185720 <deepakrai9185720@gmail.com>
Date: Fri, 4 Nov 2022 11:52:03 +0530
Subject: [PATCH 1/5] Changed query to accept user input in prepared sql
 statement

---
 warehouse/warehouse.go | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/warehouse/warehouse.go b/warehouse/warehouse.go
index 79cba136e1..7a08ce7511 100644
--- a/warehouse/warehouse.go
+++ b/warehouse/warehouse.go
@@ -1807,16 +1807,19 @@ func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCou
 		FROM
 		  %[1]s
 		WHERE
-		  %[1]s.%[3]s = '%[2]s';
+		  %[1]s.%[2]s = $1;
 `,
 		warehouseutils.WarehouseUploadsTable,
-		sourceOrDestId,
 		sourceOrDestColumn,
 	)
-
-	err = dbHandle.QueryRow(sqlStatement).Scan(&lastStagingFileIDRes)
+	preparedSqlStatement, err := dbHandle.Prepare(sqlStatement)
+	if err != nil {
+		err = fmt.Errorf("query: %s preparation failed with Error: %w", strings.ReplaceAll(sqlStatement, "$1", sourceOrDestId), err)
+		return
+	}
+	err = preparedSqlStatement.QueryRow(sourceOrDestId).Scan(&lastStagingFileIDRes)
 	if err != nil && err != sql.ErrNoRows {
-		err = fmt.Errorf("query: %s failed with Error : %w", sqlStatement, err)
+		err = fmt.Errorf("query: %s run failed with Error : %w", sqlStatement, err)
 		return
 	}
 	lastStagingFileID := int64(0)
@@ -1831,17 +1834,20 @@ func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCou
 		  %[1]s
 		WHERE
 		  %[1]s.id > %[2]v
-		  AND %[1]s.%[4]s = '%[3]s';
+		  AND %[1]s.%[3]s = $1;
 `,
 		warehouseutils.WarehouseStagingFilesTable,
 		lastStagingFileID,
-		sourceOrDestId,
 		sourceOrDestColumn,
 	)
-
-	err = dbHandle.QueryRow(sqlStatement).Scan(&fileCount)
+	preparedSqlStatement, err = dbHandle.Prepare(sqlStatement)
+	if err != nil {
+		err = fmt.Errorf("query: %s preparation failed with Error: %w", strings.ReplaceAll(sqlStatement, "$1", sourceOrDestId), err)
+		return
+	}
+	err = preparedSqlStatement.QueryRow(sourceOrDestId).Scan(&fileCount)
 	if err != nil && err != sql.ErrNoRows {
-		err = fmt.Errorf("query: %s failed with Error : %w", sqlStatement, err)
+		err = fmt.Errorf("query: %s run failed with Error : %w", sqlStatement, err)
 		return
 	}
 

From 4aa8c2dc14855778f1790aa9e758d5a6861f37dc Mon Sep 17 00:00:00 2001
From: deepakrai9185720 <deepakrai9185720@gmail.com>
Date: Fri, 4 Nov 2022 15:07:42 +0530
Subject: [PATCH 2/5] Changed query to accept user input in parameterized query

---
 warehouse/warehouse.go | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/warehouse/warehouse.go b/warehouse/warehouse.go
index 7a08ce7511..de5aba2c68 100644
--- a/warehouse/warehouse.go
+++ b/warehouse/warehouse.go
@@ -1812,12 +1812,7 @@ func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCou
 		warehouseutils.WarehouseUploadsTable,
 		sourceOrDestColumn,
 	)
-	preparedSqlStatement, err := dbHandle.Prepare(sqlStatement)
-	if err != nil {
-		err = fmt.Errorf("query: %s preparation failed with Error: %w", strings.ReplaceAll(sqlStatement, "$1", sourceOrDestId), err)
-		return
-	}
-	err = preparedSqlStatement.QueryRow(sourceOrDestId).Scan(&lastStagingFileIDRes)
+	err = dbHandle.QueryRow(sqlStatement, sourceOrDestId).Scan(&lastStagingFileIDRes)
 	if err != nil && err != sql.ErrNoRows {
 		err = fmt.Errorf("query: %s run failed with Error : %w", sqlStatement, err)
 		return
@@ -1840,12 +1835,7 @@ func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCou
 		lastStagingFileID,
 		sourceOrDestColumn,
 	)
-	preparedSqlStatement, err = dbHandle.Prepare(sqlStatement)
-	if err != nil {
-		err = fmt.Errorf("query: %s preparation failed with Error: %w", strings.ReplaceAll(sqlStatement, "$1", sourceOrDestId), err)
-		return
-	}
-	err = preparedSqlStatement.QueryRow(sourceOrDestId).Scan(&fileCount)
+	err = dbHandle.QueryRow(sourceOrDestId, sourceOrDestId).Scan(&fileCount)
 	if err != nil && err != sql.ErrNoRows {
 		err = fmt.Errorf("query: %s run failed with Error : %w", sqlStatement, err)
 		return

From 058eab4a61f85b28c7f203ede54a1371bda8f3e5 Mon Sep 17 00:00:00 2001
From: deepakrai9185720 <deepakrai9185720@gmail.com>
Date: Fri, 4 Nov 2022 15:32:58 +0530
Subject: [PATCH 3/5] Changed query to accept user input in parameterized query

---
 warehouse/warehouse.go | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/warehouse/warehouse.go b/warehouse/warehouse.go
index de5aba2c68..dabe8f84a1 100644
--- a/warehouse/warehouse.go
+++ b/warehouse/warehouse.go
@@ -1807,7 +1807,7 @@ func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCou
 		FROM
 		  %[1]s
 		WHERE
-		  %[1]s.%[2]s = $1;
+		  %[2]s = $1;
 `,
 		warehouseutils.WarehouseUploadsTable,
 		sourceOrDestColumn,
@@ -1828,8 +1828,8 @@ func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCou
 		FROM
 		  %[1]s
 		WHERE
-		  %[1]s.id > %[2]v
-		  AND %[1]s.%[3]s = $1;
+		  id > %[2]v
+		  AND %[3]s = $1;
 `,
 		warehouseutils.WarehouseStagingFilesTable,
 		lastStagingFileID,

From 9ac505d12d22f7d22e3fe3ef7b7055b46bd15af7 Mon Sep 17 00:00:00 2001
From: deepakrai9185720 <deepakrai9185720@gmail.com>
Date: Fri, 4 Nov 2022 15:54:48 +0530
Subject: [PATCH 4/5] Changed query to accept user input in parameterized query

---
 warehouse/warehouse.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/warehouse/warehouse.go b/warehouse/warehouse.go
index dabe8f84a1..d0e7271547 100644
--- a/warehouse/warehouse.go
+++ b/warehouse/warehouse.go
@@ -1794,6 +1794,7 @@ func pendingEventsHandler(w http.ResponseWriter, r *http.Request) {
 }
 
 func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCount int64, err error) {
+	sourceOrDestId = pq.QuoteIdentifier(sourceOrDestId)
 	sourceOrDestColumn := ""
 	if isSourceId {
 		sourceOrDestColumn = "source_id"

From 8bc8242ad90556404e42c31d7b45b37e24665cda Mon Sep 17 00:00:00 2001
From: deepakrai9185720 <deepakrai9185720@gmail.com>
Date: Fri, 4 Nov 2022 17:40:27 +0530
Subject: [PATCH 5/5] Changed query to accept user input in parameterized query

---
 warehouse/warehouse.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/warehouse/warehouse.go b/warehouse/warehouse.go
index d0e7271547..3395403e81 100644
--- a/warehouse/warehouse.go
+++ b/warehouse/warehouse.go
@@ -1836,7 +1836,7 @@ func getPendingStagingFileCount(sourceOrDestId string, isSourceId bool) (fileCou
 		lastStagingFileID,
 		sourceOrDestColumn,
 	)
-	err = dbHandle.QueryRow(sourceOrDestId, sourceOrDestId).Scan(&fileCount)
+	err = dbHandle.QueryRow(sqlStatement, sourceOrDestId).Scan(&fileCount)
 	if err != nil && err != sql.ErrNoRows {
 		err = fmt.Errorf("query: %s run failed with Error : %w", sqlStatement, err)
 		return