dc56c85d424c91e5c9fa4a8c3ae12881cccdd278 galt Fri Oct 7 18:49:19 2022 -0700 sqlSafef v2 shift sqlSanity call to just where needed. diff --git src/hg/cirm/cdw/cdwWebBrowse/cdwWebBrowse.c src/hg/cirm/cdw/cdwWebBrowse/cdwWebBrowse.c index 5347621..5d0249a 100644 --- src/hg/cirm/cdw/cdwWebBrowse/cdwWebBrowse.c +++ src/hg/cirm/cdw/cdwWebBrowse/cdwWebBrowse.c @@ -820,78 +820,78 @@ else { intValTreeAdd(searchPassTree, sqlUnsigned(tsr->itemId), tsr); } } if (securityColumnsInTable) slReverse(&efList); } /* Loop through all files constructing a SQL where clause that restricts us * to just the ones that we're authorized to hit, and that also pass initial where clause * if any. */ struct dyString *where = dyStringNew(0); if (!isEmpty(initialWhere)) - dyStringPrintf(where, "(%-s)", initialWhere); // trust + sqlDyStringPrintf(where, "(%-s)", initialWhere); // trust if (securityColumnsInTable) { if (user) { // get all groupIds belonging to this user char query[256]; if (!user->isAdmin) { sqlSafef(query, sizeof(query), "select groupId from cdwGroupUser " " where cdwGroupUser.userId = %d", user->id); struct sqlResult *sr = sqlGetResult(conn, query); char **row; if (!isEmpty(where->string)) - dyStringPrintf(where, " and "); - dyStringPrintf(where, "(allAccess > 0"); + sqlDyStringPrintf(where, " and "); + sqlDyStringPrintf(where, "(allAccess > 0"); while ((row = sqlNextRow(sr)) != NULL) { int groupId = sqlUnsigned(row[0]); - dyStringPrintf(where, " or FIND_IN_SET('%u', groupIds)", groupId); + sqlDyStringPrintf(where, " or FIND_IN_SET('%u', groupIds)", groupId); } sqlFreeResult(&sr); - dyStringPrintf(where, ")"); + sqlDyStringPrintf(where, ")"); } } else { if (!isEmpty(where->string)) - dyStringPrintf(where, " and "); - dyStringPrintf(where, "allAccess > 0"); + sqlDyStringPrintf(where, " and "); + sqlDyStringPrintf(where, "allAccess > 0"); } } if (efList || (securityColumnsInTable && (!isEmpty(searchString)))) // have search terms but nothing was found { if (!isEmpty(where->string)) - dyStringPrintf(where, " and "); - dyStringPrintf(where, "file_id in (0"); // initial 0 never found, just makes code smaller + sqlDyStringPrintf(where, " and "); + sqlDyStringPrintf(where, "file_id in (0"); // initial 0 never found, just makes code smaller for (ef = efList; ef != NULL; ef = ef->next) { if (searchPassTree == NULL || securityColumnsInTable || intValTreeFind(searchPassTree, ef->id) != NULL) { - dyStringPrintf(where, ",%u", ef->id); + sqlDyStringPrintf(where, ",%u", ef->id); } } - dyStringPrintf(where, ")"); + sqlDyStringPrintf(where, ")"); } rbTreeFree(&searchPassTree); // return three variables *retWhere = where; *retList = efList; *retFields = fields; } struct cdwFile* findDownloadableFiles(struct sqlConnection *conn, struct cart *cart, char* initialWhere, char *searchString) /* return list of files that we are allowed to see and that match current filters */ { // get query of files that match and where we have access @@ -1077,30 +1077,36 @@ // if we recreate the submission dir structure, we need to create a shell script boolean createSubdirs = FALSE; if (sameOk(cgiOptionalString("cdwDownloadName"), "subAndDir")) createSubdirs = TRUE; cart = cartAndCookieWithHtml(hUserCookie(), excludeVars, oldVars, FALSE); if (createSubdirs) puts("Content-disposition: attachment; filename=downloadCirm.sh\n"); else puts("Content-disposition: attachment; filename=fileUrls.txt\n"); char *searchString = unquotedCartString(cart, "cdwFileSearch"); char *initialWhere = cartUsualString(cart, "cdwBrowseFiles_filter", ""); +if (!sameString(initialWhere, "")) + { + struct dyString *safeWhere = dyStringNew(0); + sqlSanityCheckWhere(initialWhere, safeWhere); + initialWhere = dyStringCannibalize(&safeWhere); + } struct cdwFile *efList = findDownloadableFiles(conn, cart, initialWhere, searchString); char *host = hHttpHost(); // user may want to download with original submitted filename, not with format <accession>.<submittedExtension> char *optArg = ""; if (sameOk(cgiOptionalString("cdwDownloadName"), "sub")) optArg = "&useSubmitFname=1"; struct cdwFile *ef; for (ef = efList; ef != NULL; ef = ef->next) { struct cdwValidFile *vf = cdwValidFileFromFileId(conn, ef->id); @@ -1139,30 +1145,36 @@ { if (user==NULL && !isPublicSite) { printf("Sorry, you have to log in before you can download files."); return; } printf("<FORM ACTION=\"../cgi-bin/cdwWebBrowse\" METHOD=GET>\n"); cartSaveSession(cart); cgiMakeHiddenVar("cdwCommand", "downloadUrls"); continueSearchVars(); char *searchString = unquotedCartString(cart, "cdwFileSearch"); char *initialWhere = cartUsualString(cart, "cdwBrowseFiles_filter", ""); +if (!sameString(initialWhere, "")) + { + struct dyString *safeWhere = dyStringNew(0); + sqlSanityCheckWhere(initialWhere, safeWhere); + initialWhere = dyStringCannibalize(&safeWhere); + } struct cdwFile *efList = findDownloadableFiles(conn, cart, initialWhere, searchString); // get total size struct cdwFile *ef; long long size = 0; for (ef = efList; ef != NULL; ef = ef->next) size += ef->size; int fCount = slCount(efList); char sizeStr[4096]; sprintWithGreekByte(sizeStr, sizeof(sizeStr), size); printf("<h4>Data Download Options</h4>\n"); printf("<b>Number of files:</b> %d<br>\n", fCount); @@ -1268,30 +1280,37 @@ cartRemove(cart, "cdwBrowseFiles_facet_op"); cartRemove(cart, "cdwBrowseFiles_facet_fieldName"); cartRemove(cart, "cdwBrowseFiles_facet_fieldVal"); } } printf("Click on file's name to see full metadata."); printf(" Links in ucsc_db go to the Genome Browser. <BR>\n"); char *searchString = showSearchControl("cdwFileSearch", "files"); /* Put up big filtered table of files */ char returnUrl[PATH_LEN*2]; safef(returnUrl, sizeof(returnUrl), "../cgi-bin/cdwWebBrowse?cdwCommand=browseFiles&%s", cartSidUrlString(cart) ); char *where = cartUsualString(cart, "cdwBrowseFiles_filter", ""); +if (!sameString(where, "")) + { + struct dyString *safeWhere = dyStringNew(0); + sqlSanityCheckWhere(where, safeWhere); + where = dyStringCannibalize(&safeWhere); + } + struct hash *wrappers = hashNew(0); hashAdd(wrappers, "file_name", wrapFileName); hashAdd(wrappers, "ucsc_db", wrapTrackNearFileName); hashAdd(wrappers, "format", wrapFormat); hashAdd(wrappers, "file_size", wrapFileSize); accessibleFilesTable(cart, conn, searchString, fileTableFields, isEmpty(where) ? getCdwTableSetting("cdwFileFacets") : getCdwTableSetting("cdwFileTags"), where, returnUrl, "cdwBrowseFiles", 18, wrappers, conn, FALSE, "files", 100, visibleFacetFields, TRUE); printf("</FORM>\n"); } @@ -1304,42 +1323,43 @@ } void doBrowseTracks(struct sqlConnection *conn) /* Print list of files */ { printf("<FORM ACTION=\"../cgi-bin/cdwWebBrowse\" METHOD=GET>\n"); cartSaveSession(cart); cgiMakeHiddenVar("cdwCommand", "browseTracks"); cgiMakeHiddenVar("clearSearch", "0"); printf("<B>Tracks</B> - Click on ucsc_db to open Genome Browser. "); printf("The accession link shows more metadata.<BR>"); char returnUrl[PATH_LEN*2]; safef(returnUrl, sizeof(returnUrl), "../cgi-bin/cdwWebBrowse?cdwCommand=browseTracks&%s", cartSidUrlString(cart) ); -char *where = "fileId=file_id and format in ('bam','bigBed', 'bigWig', 'vcf', 'narrowPeak', 'broadPeak')"; +struct dyString *where = sqlDyStringCreate("fileId=file_id and format in ('bam','bigBed', 'bigWig', 'vcf', 'narrowPeak', 'broadPeak')"); struct hash *wrappers = hashNew(0); hashAdd(wrappers, "accession", wrapMetaNearAccession); hashAdd(wrappers, "ucsc_db", wrapTrackNearAccession); char *searchString = showSearchControl("cdwTrackSearch", "tracks"); accessibleFilesTable(cart, conn, searchString, "ucsc_db,chrom,accession,format,file_size,lab,assay,data_set_id,output," "enriched_in,sample_label,submit_file_name", - getBrowseTracksTables(), where, + getBrowseTracksTables(), where->string, returnUrl, "cdw_track_filter", 22, wrappers, conn, TRUE, "tracks", 100, NULL, FALSE); printf("</FORM>\n"); +dyStringFree(&where); } struct hash* loadDatasetDescs(struct sqlConnection *conn) /* Load cdwDataset table and return hash with name -> cdwDataset */ { char query[256]; sqlSafef(query, sizeof query, "SELECT * FROM cdwDataset"); struct sqlResult *sr = sqlGetResult(conn, query); struct hash *descs = hashNew(7); char **row; while ((row = sqlNextRow(sr)) != NULL) { struct cdwDataset *dataset = cdwDatasetLoad(row); hashAdd(descs, dataset->name, dataset); }