Add unsafe_import route

2023-06-13 10:19:14 -04:00 · 2023-06-13 10:19:14 -04:00 · eff89e7100
parent 804fb5862a
commit eff89e7100
4 changed files with 42 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@ -5,3 +5,4 @@ python-venv/
 tickmate-backup-20230524.db
 server/public/
 db.mount/
+tickmate-dump.sql
--- a/server/Cargo.toml
+++ b/server/Cargo.toml
@ -3,6 +3,10 @@ name = "kalkulog-server"
 version = "0.1.0"
 edition = "2021"

+[features]
+default = ["unsafe_import"]
+unsafe_import = []
+
 [[bin]]
 name = "kalkulog-server"
 path = "src/main.rs"
--- a/server/src/api/import.rs
+++ b/server/src/api/import.rs
@ -0,0 +1,27 @@
+use rocket::{http::Status, State};
+use sea_orm::{ConnectionTrait, DatabaseBackend, DatabaseConnection, Statement};
+
+use crate::error::Error;
+
+use super::error::ApiResult;
+
+/// This is behind a feature gate for a reason: it's wildly unsafe and
+/// insecure. It absolutely enables arbitrary sql injection.
+#[cfg(feature = "unsafe_import")]
+#[post("/import", data = "<sql_dump>")]
+pub(crate) async fn import_sql(
+    db: &State<DatabaseConnection>,
+    sql_dump: &str,
+) -> ApiResult<Status> {
+    for line in sql_dump.lines() {
+        let line = line.to_ascii_lowercase();
+        if line.starts_with("insert into")
+            && !(line.contains("sqlite_sequence") || line.contains("android_metadata"))
+        {
+            db.execute(Statement::from_string(DatabaseBackend::Postgres, line))
+                .await
+                .map_err(Error::from)?;
+        }
+    }
+    Ok(Status::Ok)
+}
--- a/server/src/api/mod.rs
+++ b/server/src/api/mod.rs
@ -1,5 +1,6 @@
 mod error;
 mod groups;
+mod import;
 mod ticks;
 mod tracks;

@ -7,9 +8,10 @@ use std::default::default;
 use std::net::{IpAddr, Ipv4Addr};

 use rocket::fs::{FileServer, NamedFile};
-use rocket::Config;
+use rocket::{routes, Config};
 use sea_orm::DatabaseConnection;

+use crate::api::import::import_sql;
 use crate::error::Error;
 use crate::rocket::{Build, Rocket};

@ -33,7 +35,7 @@ pub(crate) fn start_server(db: DatabaseConnection) -> Rocket<Build> {
    use groups::*;
    use ticks::*;
    use tracks::*;
-    rocket::build()
+    let it = rocket::build()
        .configure(Config {
            address: IpAddr::V4(Ipv4Addr::new(0, 0, 0, 0)),
            ..default()
@ -53,5 +55,10 @@ pub(crate) fn start_server(db: DatabaseConnection) -> Rocket<Build> {
            "/api/v1/groups",
            routes![all_groups, group, insert_group, update_group, delete_group],
        )
-        .mount("/", FileServer::from("/src/public"))
+        .mount("/", FileServer::from("/src/public"));
+
+    #[cfg(feature = "unsafe_import")]
+    let it = it.mount("/api/v1", routes![import_sql]);
+
+    it
 }