src/hg/cirm/cdw/cdwWebBrowse/cdwWebBrowse.c 1d5cb6a53674b76c2f8d4f8413a69b10124d9cbc

1d5cb6a53674b76c2f8d4f8413a69b10124d9cbc
galt
  Wed Oct 5 16:02:16 2022 -0700
Fixing a few more minor bugs for sqlSafef V2 in CIRM cdwWebBrowse.

diff --git src/hg/cirm/cdw/cdwWebBrowse/cdwWebBrowse.c src/hg/cirm/cdw/cdwWebBrowse/cdwWebBrowse.c
index 6c4359e..a947a3b 100644
--- src/hg/cirm/cdw/cdwWebBrowse/cdwWebBrowse.c
+++ src/hg/cirm/cdw/cdwWebBrowse/cdwWebBrowse.c
@@ -917,32 +917,34 @@
     if (slCount(sff->valList)>0)
 	{
 	sqlDyStringPrintf(facetedWhere, " and ");  // use Frag to prevent NOSQLINJ tag
 	sqlDyStringPrintf(facetedWhere, "ifnull(%s,'n/a') in (", sff->fieldName);
 	struct facetVal *el;
 	for (el=sff->valList; el; el=el->next)
 	    {
 	    sqlDyStringPrintf(facetedWhere, "'%s'", el->val);
 	    if (el->next)
 		sqlDyStringPrintf(facetedWhere, ",");
 	    }
 	sqlDyStringPrintf(facetedWhere, ")");
 	}
     }
 
+
 // get their fileIds
 struct dyString *tagQuery = sqlDyStringCreate("SELECT file_id from %s %-s", table, filteredWhere->string); // trust
+if (!isEmpty(facetedWhere->string))
     sqlDyStringPrintf(tagQuery,  "%-s", facetedWhere->string); // trust because it was created safely
 struct slName *fileIds = sqlQuickList(conn, tagQuery->string);
 
 // retrieve the cdwFiles objects for these
 struct dyString *fileQuery = sqlDyStringCreate("SELECT * FROM cdwFile WHERE id IN (");
 sqlDyStringPrintValuesList(fileQuery, fileIds);
 sqlDyStringPrintf(fileQuery, ")");
 return cdwFileLoadByQuery(conn, fileQuery->string);
 }
 
 static void continueSearchVars()
 /* print out hidden forms variables for the current search */
 {
 cgiContinueHiddenVar("cdwFileSearch");
 char *fieldNames[128];
@@ -1618,31 +1620,37 @@
 sqlDyStringPrintf(sqlQuery, "%s", l->name);
 l = l->next;
 while (l != NULL)
     {
     sqlDyStringPrintf(sqlQuery, ",%s", l->name);
     l = l->next;
     }
 sqlDyStringPrintf(sqlQuery, " from cdwFileTags");
 
 int whereClauseStarted = 0;
 if (!isEmpty(where))
     {
     // Can't use sqlDyString functions due to the possible presence of valid wildcards, but
     // the while clause has already been validated by passing through the more restrictive
     // rql parser anyway.
-    sqlDyStringPrintf(sqlQuery, " where %-s", rqlParseToSqlWhereClause(rql->whereClause, FALSE));
+
+    // Note currently unable to use sqlSafefV2 inside /src/lib/rqlParse* since it needs functions in /src/hg/lib/jksql.c
+    // and things in /src/lib are not supposed to use and depend on stuff under /src/hg/lib.
+    char *rqlWhere = rqlParseToSqlWhereClause(rql->whereClause, FALSE);
+    char trustedQuery[strlen(rqlWhere) + NOSQLINJ_SIZE + 1];
+    safef(trustedQuery, sizeof trustedQuery, NOSQLINJ "%s", rqlWhere);
+    sqlDyStringPrintf(sqlQuery, " where %-s", trustedQuery);
     whereClauseStarted = 1;
     }
 
 // Ensure the user has access to the data.  Access means either it's a public set (allAccess = 1) or one of the user's
 // associated group IDs appears in the groupIds field (or they're an admin).
 if ((user == NULL) || (!user->isAdmin))
     {
     if (whereClauseStarted == 0)
         {
         sqlDyStringPrintf(sqlQuery, " where ");
         whereClauseStarted = 1;
         }
     else
         sqlDyStringPrintf(sqlQuery, " and ");
     sqlDyStringPrintf(sqlQuery, "(allAccess = 1");