Sql injection fixes

src/modules/api/submodules/chat.ts

@@ -131,7 +131,7 @@ function setup(data: SubmoduleData): void {
         const msgObj = {
           sender: userid,
           reciever: parseInt(reciever),
-          msg: msg.replace(/'/g, '').replace(/;/g, ''),
+          msg: dbtools.sanitizeQuery(msg),
           type: type || 'text',
           date: new Date().getTime(),
           unread: 1,

src/utils/dbtools.ts

@@ -13,6 +13,7 @@ export default {
   Insert: Insert,
   CloseDB: CloseDB,
   runStatement: runStatement,
+  sanitizeQuery: sanitizeQuery,
 }
 
 import Sqlite from 'better-sqlite3'
@@ -21,14 +22,21 @@ import utils from '../utils/utils'
 
 const debugLog = process.env.NS_SQL_DEBUG_LOG
 
+function sanitizeQuery(val: string): string {
+  return val.replace(/'/g, '').replace(/;/g, '')
+}
+
 // { asd: 'asd', basd: 4 } => asd = 'asd', basd = 4
 function GetSqlQuerry(conditions: any, type: string, joiner?: string) {
   const res = Object.keys(conditions).reduce((acc, key) => {
     const item = conditions[key]
+    const conditionKey = sanitizeQuery(key)
+    const condition = sanitizeQuery(conditions[key])
+
     if (typeof item === 'string') {
-      acc.push(`${key} = '${conditions[key]}'`)
+      acc.push(`${conditionKey} = '${condition}'`)
     } else {
-      acc.push(`${key} = ${conditions[key]}`)
+      acc.push(`${conditionKey} = ${condition}`)
     }
     return acc
   }, [])

submodules/qmining-page

@@ -1 +1 @@
-Subproject commit 2b491e6bec6eee78400e3e042418def12df3243f
+Subproject commit dd7001023eaf9169863268325c2219ed0822895b