Replace insecure String.to_atom with String.to_existing_atom (#2)

* Replace insecure String.to_atom with String.to_existing_atom * String to_atom is safe here Co-authored-by: Dung Nguyen <dung.nguyen@onpoint.vn>
bluzky · Oct 28, 2020 · ce37d3c · ce37d3c
1 parent b88eb13
commit ce37d3c
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 14 deletions.
diff --git a/lib/parser.ex b/lib/parser.ex
@@ -46,17 +46,17 @@ defmodule Querie.Parser do
       [field, operator] ->
         case operator do
           "ref" ->
-            {String.to_atom(operator), {String.to_atom(field), split_key_and_operator(value)}}
+            {:ref, {field, split_key_and_operator(value)}}
 
           op when op in @supported_ops ->
-            {String.to_atom(op), {String.to_atom(field), value}}
+            {String.to_atom(op), {field, value}}
 
           _ ->
             nil
         end
 
       [field] ->
-        {:is, {String.to_atom(field), value}}
+        {:is, {field, value}}
 
       _ ->
         nil
@@ -99,7 +99,8 @@ defmodule Querie.Parser do
       with field_def <- SchemaHelpers.get_field(schema, column),
            {:field_def_nil, false} <- {:field_def_nil, is_nil(field_def)},
            {:ok, casted_value} <- cast_field(field, field_def) do
-        {:ok, {operator, {column, casted_value}}}
+        # use String.to_existing_atom, here we make sure the column atom existed
+        {:ok, {operator, {String.to_existing_atom(column), casted_value}}}
       else
         {:field_def_nil, true} -> nil
         :skip -> nil

diff --git a/lib/schema_helpers.ex b/lib/schema_helpers.ex
@@ -1,16 +1,18 @@
 defmodule Querie.SchemaHelpers do
   def get_field(schema, field) do
-    field_def = Map.get(schema, field)
+    case Enum.find(schema, fn {k, _} -> to_string(k) == field end) do
+      {_, field_def} ->
+        {type, opts} =
+          if is_atom(field_def) or is_tuple(field_def) do
+            {field_def, []}
+          else
+            Keyword.pop(field_def, :type)
+          end
 
-    if field_def do
-      {type, opts} =
-        if is_atom(field_def) or is_tuple(field_def) do
-          {field_def, []}
-        else
-          Keyword.pop(field_def, :type)
-        end
+        {field, type, opts}
 
-      {field, type, opts}
+      _ ->
+        nil
     end
   end
 

diff --git a/test/querex_test.exs b/test/querex_test.exs
@@ -22,7 +22,7 @@ defmodule QuerieTest do
     params = %{"name" => 123}
     {code, data} = Querie.Parser.parse(schema, params)
     assert code == :error
-    assert Enum.find_value(data, false, fn {field, _} -> field == :name end)
+    assert Enum.find_value(data, false, fn {field, _} -> field == "name" end)
   end
 
   test "parse integer range by map" do