From e5dc359f3a798102b4e69f65b761cc88b2795067 Mon Sep 17 00:00:00 2001 From: regalijan Date: Thu, 19 Oct 2023 16:49:52 -0400 Subject: [PATCH] Default to current time in list endpoint --- functions/api/mod-queue/list.ts | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/functions/api/mod-queue/list.ts b/functions/api/mod-queue/list.ts index 0e77cdb..71aed33 100644 --- a/functions/api/mod-queue/list.ts +++ b/functions/api/mod-queue/list.ts @@ -1,6 +1,6 @@ export async function onRequestGet(context: RequestContext) { const { searchParams } = new URL(context.request.url); - const before = parseInt(searchParams.get("before") || "0"); + const before = parseInt(searchParams.get("before") || `${Date.now()}`); const entryType = searchParams.get("type"); const showClosed = searchParams.get("showClosed") === "true"; const tables: { [k: string]: string } = { @@ -47,11 +47,17 @@ export async function onRequestGet(context: RequestContext) { const prefix = types[entryType]; const table = tables[entryType]; const items = []; + console.log(!showClosed) const { results }: { results?: { created_at: number; id: string }[] } = + /* + This is normally VERY BAD and can lead to injection attacks + However, there is no other way to do this, as using bindings for table names is unsupported apparently + To avoid any potential injection attacks we enforce a list of specific values and permissions for table names + */ await context.env.D1.prepare( - "SELECT created_at, id FROM ? WHERE created_at < ? AND open = ? ORDER BY created_at DESC LIMIT 25;" + `SELECT id FROM ${table} WHERE created_at < ? AND open = ? ORDER BY created_at DESC LIMIT 25;` ) - .bind(table, before, Number(showClosed)) + .bind(before, Number(!showClosed)) .all(); if (results)