nsnotfound / blog.swift Goto Github PK
View Code? Open in Web Editor NEW[WIP] A tiny server-side Swift blog app.
License: MIT License
[WIP] A tiny server-side Swift blog app.
License: MIT License
In current Makefile
,
make build
uses swift build --configuration release
, however, this fails to build module Mustache
(other modules are fine).
Logs:
Compiling Swift Module 'Mustache' (29 sources)
/home/honghao/Developer/Swift/blog.swift/Packages/Mustache-0.1.0/Sources/Mustache/Parsing/TemplateParser.swift:75:21: warning: '++' is deprecated: it will be removed in Swift 3
++lineNumber
^~
+= 1
/home/honghao/Developer/Swift/blog.swift/Packages/Mustache-0.1.0/Sources/Mustache/Parsing/TemplateParser.swift:90:21: warning: '++' is deprecated: it will be removed in Swift 3
++lineNumber
^~
+= 1
/home/honghao/Developer/Swift/blog.swift/Packages/Mustache-0.1.0/Sources/Mustache/Parsing/TemplateParser.swift:139:21: warning: '++' is deprecated: it will be removed in Swift 3
++lineNumber
^~
+= 1
/home/honghao/Developer/Swift/blog.swift/Packages/Mustache-0.1.0/Sources/Mustache/Parsing/TemplateParser.swift:261:21: warning: '++' is deprecated: it will be removed in Swift 3
++lineNumber
^~
+= 1
/home/honghao/Developer/Swift/blog.swift/Packages/Mustache-0.1.0/Sources/Mustache/Parsing/TemplateParser.swift:279:21: warning: '++' is deprecated: it will be removed in Swift 3
++lineNumber
^~
+= 1
<unknown>:0: error: unable to execute command: Killed
<unknown>:0: error: compile command failed due to signal (use -v to see invocation)
<unknown>:0: error: unable to execute command: Killed
<unknown>:0: error: compile command failed due to signal (use -v to see invocation)
<unknown>:0: error: build had 1 command failures
error: exit(1): ["/home/honghao/swift/swift-2.2-SNAPSHOT-2015-12-31-a-ubuntu14.04/usr/bin/swift-build-tool", "-f", "/home/honghao/Developer/Swift/blog.swift/.build/release/Mustache.o/llbuild.yaml"]
use swift build
works.
This related to PR: #5.
There are multiple instances where a PostgreSQL query is formed directly by expanding variables within a string constant, such as the following:
https://github.com/NSNotFound/blog.swift/blob/master/Sources/PostController.swift#L20
https://github.com/NSNotFound/blog.swift/blob/master/Sources/PostController.swift#L50
https://github.com/NSNotFound/blog.swift/blob/master/Sources/PostController.swift#L63
https://github.com/NSNotFound/blog.swift/blob/master/Sources/PostController.swift#L65
An attacker could decide to delete a post with the id 1337' or '1' = '1
. This will expand the executed SQL statement to look like `DELETE FROM... WHERE id='1337' or '1' = '1', which will delete all posts since the WHERE predicate is always true.
The above scenario is just one possible thing an attacker could do. SQL Injection like this can allow the attacker to execute arbitrary SQL code, meaning they now have complete control over your database.
The proper way of referencing variables from within SQL queries is to use parameterized SQL queries. I see that you are using the Zewo PostgreSQL library. They recently added support for parameterized queries after this issue I created: ZewoGraveyard/SQL#1. An example of using parameterized queries with PostgreSQL is here: https://github.com/Zewo/PostgreSQL/blob/master/Examples/main.swift#L25
initdb
for different platformsA declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.