Refactor WebSocket user ID filtering and enhance SQL query security: Updated user ID handling in the WebSocket server to improve filtering logic for numeric user IDs. Implemented parameterized queries in the database operations across multiple worker files to prevent SQL injection vulnerabilities, ensuring safer data handling.

2025-12-08 11:56:04 +01:00
parent 2948586041
commit d078b6b19a
4 changed files with 45 additions and 35 deletions
--- a/src/websocket_server.rs
+++ b/src/websocket_server.rs
@@ -500,27 +500,35 @@ async fn handle_connection<S>(
                    };

                    if let Some(uid) = target_user.clone() {
-                        // Nur filtern, wenn uid numerisch ist
-                        if uid.parse::<i64>().is_ok() {
-                            if let Ok(json) = serde_json::from_str::<Json>(&msg) {
-                                let matches_user = json
-                                    .get("user_id")
-                                    .and_then(|v| {
-                                        if let Some(s) = v.as_str() {
-                                            s.parse::<i64>().ok()
-                                        } else if let Some(n) = v.as_i64() {
-                                            Some(n)
-                                        } else {
-                                            None
-                                        }
-                                    })
-                                    .map(|v| v.to_string() == uid)
-                                    .unwrap_or(false);
+                        // Versuche, die user_id als numerisch zu interpretieren
+                        match uid.parse::<i64>() {
+                            Ok(numeric_uid) => {
+                                // Numerische user_id: Filtere explizit nach dieser ID
+                                if let Ok(json) = serde_json::from_str::<Json>(&msg) {
+                                    let matches_user = json
+                                        .get("user_id")
+                                        .and_then(|v| {
+                                            if let Some(s) = v.as_str() {
+                                                s.parse::<i64>().ok()
+                                            } else if let Some(n) = v.as_i64() {
+                                                Some(n)
+                                            } else {
+                                                None
+                                            }
+                                        })
+                                        .map(|v| v == numeric_uid)
+                                        .unwrap_or(false);

-                                if !matches_user {
-                                    continue;
+                                    if !matches_user {
+                                        continue;
+                                    }
                                }
                            }
+                            Err(_) => {
+                                // Nicht-numerische user_id: Explizit alle Nachrichten durchlassen
+                                // (keine Filterung, wie im Kommentar dokumentiert)
+                                // Dies ermöglicht es dem Frontend, selbst zu filtern
+                            }
                        }
                    }