diff --git a/basic/query.go b/basic/query.go index 1fd7a91..a562078 100644 --- a/basic/query.go +++ b/basic/query.go @@ -5,6 +5,7 @@ import ( "encoding/hex" "errors" "fmt" + "strconv" "strings" "github.com/fiatjaf/go-nostr/event" @@ -23,14 +24,22 @@ func (b *BasicRelay) QueryEvents( return } - if filter.ID != "" { - conditions = append(conditions, "id = ?") - params = append(params, filter.ID) - } - - if filter.Kind != nil { - conditions = append(conditions, "kind = ?") - params = append(params, filter.Kind) + if filter.IDs != nil { + inids := make([]string, 0, len(filter.IDs)) + for _, id := range filter.IDs { + // to prevent sql attack here we will check if + // these ids are valid 32byte hex + parsed, err := hex.DecodeString(id) + if err != nil || len(parsed) != 32 { + continue + } + inids = append(inids, fmt.Sprintf("'%x'", parsed)) + } + if len(inids) == 0 { + // ids being [] mean you won't get anything + return + } + conditions = append(conditions, `id IN (`+strings.Join(inids, ",")+`)`) } if filter.Authors != nil { @@ -45,20 +54,49 @@ func (b *BasicRelay) QueryEvents( inkeys = append(inkeys, fmt.Sprintf("'%x'", parsed)) } if len(inkeys) == 0 { - // authors being [] means you won't get anything + // authors being [] mean you won't get anything return } conditions = append(conditions, `pubkey IN (`+strings.Join(inkeys, ",")+`)`) } - if filter.TagEvent != "" { - conditions = append(conditions, tagConditions) - params = append(params, filter.TagEvent) + if filter.Kinds != nil { + if len(filter.Kinds) == 0 { + // kinds being [] mean you won't get anything + return + } + // no sql injection issues since these are ints + inkinds := make([]string, len(filter.Kinds)) + for i, kind := range filter.Kinds { + inkinds[i] = strconv.Itoa(kind) + } + conditions = append(conditions, `kind IN (`+strings.Join(inkinds, ",")+`)`) } - if filter.TagProfile != "" { - conditions = append(conditions, tagConditions) - params = append(params, filter.TagProfile) + if filter.TagE != nil { + if len(filter.TagE) == 0 { + // #e being [] mean you won't get anything + return + } + innerConditions := make([]string, len(filter.TagE)) + for _, e := range filter.TagE { + innerConditions = append(innerConditions, tagConditions) + params = append(params, e) + } + conditions = append(conditions, strings.Join(innerConditions, " OR ")) + } + + if filter.TagP != nil { + if len(filter.TagP) == 0 { + // #p being [] mean you won't get anything + return + } + innerConditions := make([]string, len(filter.TagP)) + for _, p := range filter.TagP { + innerConditions = append(innerConditions, tagConditions) + params = append(params, p) + } + conditions = append(conditions, strings.Join(innerConditions, " OR ")) } if filter.Since != 0 { diff --git a/go.mod b/go.mod index 9f5f811..f5f043d 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/fiatjaf/relayer go 1.15 require ( - github.com/fiatjaf/go-nostr v0.2.1 + github.com/fiatjaf/go-nostr v0.3.0 github.com/gorilla/mux v1.8.0 github.com/gorilla/websocket v1.4.2 github.com/jmoiron/sqlx v1.3.1 diff --git a/go.sum b/go.sum index 99d1a2a..863c83b 100644 --- a/go.sum +++ b/go.sum @@ -19,6 +19,8 @@ github.com/fiatjaf/bip340 v1.1.0 h1:W+CnUU3RyqgMKS2S9t/r2l3L4D+sSkRtU4la7MlVBR8= github.com/fiatjaf/bip340 v1.1.0/go.mod h1:MxAz+5FQUTW4OT2gnCBC6Our486wmqf72ykZIrh7+is= github.com/fiatjaf/go-nostr v0.2.1 h1:oMNyNKA+9k675y/hyQ4z+qm90aVvfzpiMSFS5wQ5pfI= github.com/fiatjaf/go-nostr v0.2.1/go.mod h1:Uw7NI2zQE2QYgcT5495pZguoHoYRIrmXvLRO0eXhOs0= +github.com/fiatjaf/go-nostr v0.3.0 h1:Ccdn2E8to99TSb691YUieKbFkvfkaM2fwjQJovfpzRU= +github.com/fiatjaf/go-nostr v0.3.0/go.mod h1:Uw7NI2zQE2QYgcT5495pZguoHoYRIrmXvLRO0eXhOs0= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/go-sql-driver/mysql v1.5.0 h1:ozyZYNQW3x3HtqT1jira07DN2PArx2v7/mN66gGcHOs= github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg=