In searchINPredicate function of oils_cstore.c: tighten

input validation.

1. Require that the operand of IN or NOT IN be either a
JSON_ARRAY or a JSON_OBJECT.

2. Require that an item in an IN list be either a
JSON_STRING or a JSON_NUMBER.

git-svn-id: svn://svn.open-ils.org/ILS/trunk@12606 dcc99617-32d9-48b4-a31d-7c20da2025e4

diff --git a/Open-ILS/src/c-apps/oils_cstore.c b/Open-ILS/src/c-apps/oils_cstore.c
index 6582b07..162f1c1 100644 (file)
--- a/Open-ILS/src/c-apps/oils_cstore.c
+++ b/Open-ILS/src/c-apps/oils_cstore.c
@@ -1696,6 +1696,14 @@ static char* searchINPredicate (const char* class, osrfHash* field,
                        else
                                buffer_add(sql_buf, ", ");
 
+                       // Sanity check
+                       if ( in_item->type != JSON_STRING && in_item->type != JSON_NUMBER ) {
+                               osrfLogError(OSRF_LOG_MARK, "%s: Expected string or number within IN list; found %s",
+                                               MODULENAME, json_type( in_item->type ) );
+                                                                       buffer_free(sql_buf);
+                               return NULL;
+                       }
+                       
                        // Append the literal value -- quoted if not a number
                        if ( JSON_NUMBER == in_item->type ) {
                                char* val = jsonNumberToDBString( field, in_item );
@@ -1726,6 +1734,11 @@ static char* searchINPredicate (const char* class, osrfHash* field,
                        buffer_free( sql_buf );
                        return NULL;
                }
+       } else {
+               osrfLogError(OSRF_LOG_MARK, "%s: Expected object or array for IN clause; found %s",
+                       MODULENAME, json_type( node->type ) );
+               buffer_free(sql_buf);
+               return NULL;
        }
 
        OSRF_BUFFER_ADD_CHAR( sql_buf, ')' );