admin/n8n-enterprise-unlocked
1
0
Fork 0
mirror of https://github.com/Abdulazizzn/n8n-enterprise-unlocked.git synced 2025-12-17 18:12:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(MySQL Node): Fix potential sql injection (#13818)

Browse Source
This commit is contained in:
Jon
2025-03-13 08:19:14 +00:00
committed by GitHub
parent b5632545c5
commit dd4f51cff5
2 changed files with 106 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
packages/nodes-base/nodes/MySql/v1/GenericFunctions.ts
View File

@@ -30,20 +30,21 @@ export async function createConnection(
export async function searchTables(
this: ILoadOptionsFunctions,
query?: string,
tableName?: string,
): Promise<INodeListSearchResult> {
const credentials = await this.getCredentials('mySql');
const connection = await createConnection(credentials);
const sql = `
SELECT table_name FROM information_schema.tables
WHERE table_schema = '${credentials.database}'
and table_name like '%${query || ''}%'
ORDER BY table_name
`;
const [rows] = await connection.query(sql);
const results = (rows as IDataObject[]).map((r) => ({
name: r.TABLE_NAME as string,
value: r.TABLE_NAME as string,
const sql = `SELECT table_name
FROM information_schema.tables
WHERE table_schema = ?
AND table_name LIKE ?
ORDER BY table_name`;
const values = [credentials.database, `%${tableName ?? ''}%`];
const [rows] = await connection.query(sql, values);
const results = (rows as IDataObject[]).map((table) => ({
name: (table.table_name as string) || (table.TABLE_NAME as string),
value: (table.table_name as string) || (table.TABLE_NAME as string),
}));
await connection.end();
return { results };