Add unsafe_import route

This commit is contained in:
D. Scott Boggs 2023-06-13 10:19:14 -04:00
parent 804fb5862a
commit eff89e7100
4 changed files with 42 additions and 3 deletions

1
.gitignore vendored
View file

@ -5,3 +5,4 @@ python-venv/
tickmate-backup-20230524.db
server/public/
db.mount/
tickmate-dump.sql

View file

@ -3,6 +3,10 @@ name = "kalkulog-server"
version = "0.1.0"
edition = "2021"
[features]
default = ["unsafe_import"]
unsafe_import = []
[[bin]]
name = "kalkulog-server"
path = "src/main.rs"

27
server/src/api/import.rs Normal file
View file

@ -0,0 +1,27 @@
use rocket::{http::Status, State};
use sea_orm::{ConnectionTrait, DatabaseBackend, DatabaseConnection, Statement};
use crate::error::Error;
use super::error::ApiResult;
/// This is behind a feature gate for a reason: it's wildly unsafe and
/// insecure. It absolutely enables arbitrary sql injection.
#[cfg(feature = "unsafe_import")]
#[post("/import", data = "<sql_dump>")]
pub(crate) async fn import_sql(
db: &State<DatabaseConnection>,
sql_dump: &str,
) -> ApiResult<Status> {
for line in sql_dump.lines() {
let line = line.to_ascii_lowercase();
if line.starts_with("insert into")
&& !(line.contains("sqlite_sequence") || line.contains("android_metadata"))
{
db.execute(Statement::from_string(DatabaseBackend::Postgres, line))
.await
.map_err(Error::from)?;
}
}
Ok(Status::Ok)
}

View file

@ -1,5 +1,6 @@
mod error;
mod groups;
mod import;
mod ticks;
mod tracks;
@ -7,9 +8,10 @@ use std::default::default;
use std::net::{IpAddr, Ipv4Addr};
use rocket::fs::{FileServer, NamedFile};
use rocket::Config;
use rocket::{routes, Config};
use sea_orm::DatabaseConnection;
use crate::api::import::import_sql;
use crate::error::Error;
use crate::rocket::{Build, Rocket};
@ -33,7 +35,7 @@ pub(crate) fn start_server(db: DatabaseConnection) -> Rocket<Build> {
use groups::*;
use ticks::*;
use tracks::*;
rocket::build()
let it = rocket::build()
.configure(Config {
address: IpAddr::V4(Ipv4Addr::new(0, 0, 0, 0)),
..default()
@ -53,5 +55,10 @@ pub(crate) fn start_server(db: DatabaseConnection) -> Rocket<Build> {
"/api/v1/groups",
routes![all_groups, group, insert_group, update_group, delete_group],
)
.mount("/", FileServer::from("/src/public"))
.mount("/", FileServer::from("/src/public"));
#[cfg(feature = "unsafe_import")]
let it = it.mount("/api/v1", routes![import_sql]);
it
}