tksadik92/wrenn-releases
1
0
Fork 0
forked from wrenn/wrenn
Code Pull Requests Activity

Fix LIKE pattern injection in user email search

Browse Source 
Escape LIKE metacharacters (% and _) in the email prefix before passing
to the SQL query, and enforce the documented '@' requirement to prevent
broad user enumeration. Move search logic out of TeamService into
usersHandler since it is a site-wide lookup, not team-scoped.
This commit is contained in:
Rafeed M. Bhuiyan
2026-03-25 21:53:09 +06:00
parent 88cb24bb86
commit 6eacf0f735
3 changed files with 15 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
internal/service/team.go
View File

@ -9,7 +9,6 @@ import (
"connectrpc.com/connect"
"github.com/jackc/pgx/v5"
"github.com/jackc/pgx/v5/pgtype"
"github.com/jackc/pgx/v5/pgxpool"
"git.omukk.dev/wrenn/sandbox/internal/db"
@ -369,12 +368,6 @@ func (s *TeamService) LeaveTeam(ctx context.Context, teamID, callerUserID string
return nil
}
// SearchUsersByEmailPrefix returns up to 10 users whose email starts with the given prefix.
// The prefix must contain "@" to prevent broad enumeration.
func (s *TeamService) SearchUsersByEmailPrefix(ctx context.Context, prefix string) ([]db.SearchUsersByEmailPrefixRow, error) {
return s.DB.SearchUsersByEmailPrefix(ctx, pgtype.Text{String: prefix, Valid: true})
}
// SetBYOC enables the BYOC feature flag for a team. Once enabled, BYOC cannot
// be disabled — it is a one-way transition.
// Admin-only — the caller must verify admin status before invoking this.