satellitedb: bucket search fixed (#3594)

2019-12-09 14:46:30 +02:00 · 2019-12-09 14:46:30 +02:00 · fa5288c254
commit fa5288c254
parent ea92c68600
2 changed files with 30 additions and 3 deletions
--- a/satellite/accounting/projectusage_test.go
+++ b/satellite/accounting/projectusage_test.go
@ -436,5 +436,32 @@ func TestUsageRollups(t *testing.T) {
 			assert.NoError(t, err)
 			assert.NotNil(t, totals2)
 		})
+
+		t.Run("Get paged", func(t *testing.T) {
+			// sql injection test. F.E '%SomeText%' = > ''%SomeText%' OR 'x' != '%'' will be true
+			bucketsPage, err := usageRollups.GetBucketTotals(ctx, project1, accounting.BucketUsageCursor{Limit: 5, Search: "buck%' OR 'x' != '", Page: 1}, start, now)
+			assert.NoError(t, err)
+			assert.NotNil(t, bucketsPage)
+			assert.Equal(t, uint64(0), bucketsPage.TotalCount)
+			assert.Equal(t, uint(0), bucketsPage.CurrentPage)
+			assert.Equal(t, uint(0), bucketsPage.PageCount)
+			assert.Equal(t, 0, len(bucketsPage.BucketUsages))
+
+			bucketsPage, err = usageRollups.GetBucketTotals(ctx, project1, accounting.BucketUsageCursor{Limit: 3, Search: "", Page: 1}, start, now)
+			assert.NoError(t, err)
+			assert.NotNil(t, bucketsPage)
+			assert.Equal(t, uint64(5), bucketsPage.TotalCount)
+			assert.Equal(t, uint(1), bucketsPage.CurrentPage)
+			assert.Equal(t, uint(2), bucketsPage.PageCount)
+			assert.Equal(t, 3, len(bucketsPage.BucketUsages))
+
+			bucketsPage, err = usageRollups.GetBucketTotals(ctx, project1, accounting.BucketUsageCursor{Limit: 5, Search: "buck", Page: 1}, start, now)
+			assert.NoError(t, err)
+			assert.NotNil(t, bucketsPage)
+			assert.Equal(t, uint64(5), bucketsPage.TotalCount)
+			assert.Equal(t, uint(1), bucketsPage.CurrentPage)
+			assert.Equal(t, uint(1), bucketsPage.PageCount)
+			assert.Equal(t, 5, len(bucketsPage.BucketUsages))
+		})
 	})
 }
--- a/satellite/satellitedb/projectaccounting.go
+++ b/satellite/satellitedb/projectaccounting.go
@ -438,7 +438,7 @@ func (db *ProjectAccounting) GetBucketTotals(ctx context.Context, projectID uuid
 	countQuery := db.db.Rebind(`SELECT COUNT(DISTINCT bucket_name)
 		FROM bucket_bandwidth_rollups
 		WHERE project_id = ? AND interval_start >= ? AND interval_start <= ?
-		AND CAST(bucket_name as TEXT) LIKE ?`)
+		AND bucket_name LIKE ?`)

 	countRow := db.db.QueryRowContext(ctx,
 		countQuery,
@ -460,7 +460,7 @@ func (db *ProjectAccounting) GetBucketTotals(ctx context.Context, projectID uuid
 	bucketsQuery := db.db.Rebind(`SELECT DISTINCT bucket_name
 		FROM bucket_bandwidth_rollups
 		WHERE project_id = ? AND interval_start >= ? AND interval_start <= ?
-		AND CAST(bucket_name as TEXT) LIKE ?
+		AND bucket_name LIKE ?
 		ORDER BY bucket_name ASC
 		LIMIT ? OFFSET ?`)

@ -468,7 +468,7 @@ func (db *ProjectAccounting) GetBucketTotals(ctx context.Context, projectID uuid
 		bucketsQuery,
 		projectID[:],
 		since, before,
-		search,
+		[]byte(search),
 		page.Limit,
 		page.Offset)