diff options
| author | Olivier Wilkinson (reivilibre) <olivier@librepush.net> | 2019-08-20 15:41:10 +0100 |
|---|---|---|
| committer | Olivier Wilkinson (reivilibre) <olivier@librepush.net> | 2019-08-20 15:41:10 +0100 |
| commit | 981c6cf5442bfb16c177f995deedeb3ec44bf5fb (patch) | |
| tree | a41f9792a54ed506c7ebf93141500240b845325b | |
| parent | Add room and user statistics documentation. (diff) | |
| download | synapse-981c6cf5442bfb16c177f995deedeb3ec44bf5fb.tar.xz | |
Sanitise accepted fields in `_update_stats_delta_txn`
Signed-off-by: Olivier Wilkinson (reivilibre) <olivier@librepush.net>
| -rw-r--r-- | synapse/storage/stats.py | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/synapse/storage/stats.py b/synapse/storage/stats.py index 0445b97b4a..a372f35eae 100644 --- a/synapse/storage/stats.py +++ b/synapse/storage/stats.py @@ -15,6 +15,7 @@ # limitations under the License. import logging +from itertools import chain from twisted.internet import defer @@ -160,6 +161,17 @@ class StatsStore(StateDeltasStore): quantised_ts = self.quantise_stats_time(int(ts)) end_ts = quantised_ts + self.stats_bucket_size + for field in chain(fields.keys(), absolute_fields.keys()): + if ( + field not in ABSOLUTE_STATS_FIELDS[stats_type] + and field not in PER_SLICE_FIELDS[stats_type] + ): + # guard against potential SQL injection dodginess + raise ValueError( + "%s is not a recognised field" + " for stats type %s" % (field, stats_type) + ) + field_sqls = ["%s = %s + ?" % (field, field) for field in fields.keys()] field_values = list(fields.values()) |