Fix code scanning alert no. 11: Database query built from user-contro…

…lled sources Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
sipcapture · Jan 7, 2025 · 0a2de34 · 0a2de34
1 parent 7117a3b
commit 0a2de34
Showing 1 changed file with 7 additions and 4 deletions.
diff --git a/data/service/userSettings.go b/data/service/userSettings.go
@@ -208,19 +208,22 @@ func (ss *UserSettingsService) Delete(userObject *model.TableUserSettings, UserN
 // it doesn't check internally whether all the validation are applied or not
 func (ss *UserSettingsService) Update(userObject *model.TableUserSettings, UserName string, isAdmin bool) error {
 
-	var sqlWhere = make(map[string]interface{})
+	var sqlWhere string
+	var args []interface{}
 
 	if !isAdmin {
-		sqlWhere = map[string]interface{}{"guid": userObject.GUID, "username": UserName}
+		sqlWhere = "guid = ? AND username = ?"
+		args = append(args, userObject.GUID, UserName)
 	} else {
-		sqlWhere = map[string]interface{}{"guid": userObject.GUID}
+		sqlWhere = "guid = ?"
+		args = append(args, userObject.GUID)
 	}
 
 	if err := ss.Session.Debug().
 		Table("user_settings").
 		Debug().
 		Model(&model.TableUserSettings{}).
-		Where(sqlWhere).Update(userObject).Error; err != nil {
+		Where(sqlWhere, args...).Update(userObject).Error; err != nil {
 		return err
 	}
 	return nil