nsnotfound / blog.swift Goto Github PK
View Code? Open in Web Editor NEW[WIP] A tiny server-side Swift blog app.
License: MIT License
blog.swift's People
Contributors
Stargazers
Watchers
Forkers
imjerrybao honghaoz rockflying carabina finngaida haroenv poseidonsw damocs0921 kutap leopardpan yut148 kenwilcox generalx1 iq-scmblog.swift's Issues
`swift build --configuration release` failed to compile module 'Mustache'
In current Makefile,
make build uses swift build --configuration release, however, this fails to build module Mustache (other modules are fine).
Logs:
Compiling Swift Module 'Mustache' (29 sources)
/home/honghao/Developer/Swift/blog.swift/Packages/Mustache-0.1.0/Sources/Mustache/Parsing/TemplateParser.swift:75:21: warning: '++' is deprecated: it will be removed in Swift 3
++lineNumber
^~
+= 1
/home/honghao/Developer/Swift/blog.swift/Packages/Mustache-0.1.0/Sources/Mustache/Parsing/TemplateParser.swift:90:21: warning: '++' is deprecated: it will be removed in Swift 3
++lineNumber
^~
+= 1
/home/honghao/Developer/Swift/blog.swift/Packages/Mustache-0.1.0/Sources/Mustache/Parsing/TemplateParser.swift:139:21: warning: '++' is deprecated: it will be removed in Swift 3
++lineNumber
^~
+= 1
/home/honghao/Developer/Swift/blog.swift/Packages/Mustache-0.1.0/Sources/Mustache/Parsing/TemplateParser.swift:261:21: warning: '++' is deprecated: it will be removed in Swift 3
++lineNumber
^~
+= 1
/home/honghao/Developer/Swift/blog.swift/Packages/Mustache-0.1.0/Sources/Mustache/Parsing/TemplateParser.swift:279:21: warning: '++' is deprecated: it will be removed in Swift 3
++lineNumber
^~
+= 1
<unknown>:0: error: unable to execute command: Killed
<unknown>:0: error: compile command failed due to signal (use -v to see invocation)
<unknown>:0: error: unable to execute command: Killed
<unknown>:0: error: compile command failed due to signal (use -v to see invocation)
<unknown>:0: error: build had 1 command failures
error: exit(1): ["/home/honghao/swift/swift-2.2-SNAPSHOT-2015-12-31-a-ubuntu14.04/usr/bin/swift-build-tool", "-f", "/home/honghao/Developer/Swift/blog.swift/.build/release/Mustache.o/llbuild.yaml"]
use swift build works.
This related to PR: #5.
Multiple SQL Injection Vulnerabilities
There are multiple instances where a PostgreSQL query is formed directly by expanding variables within a string constant, such as the following:
https://github.com/NSNotFound/blog.swift/blob/master/Sources/PostController.swift#L20
https://github.com/NSNotFound/blog.swift/blob/master/Sources/PostController.swift#L50
https://github.com/NSNotFound/blog.swift/blob/master/Sources/PostController.swift#L63
https://github.com/NSNotFound/blog.swift/blob/master/Sources/PostController.swift#L65
An attacker could decide to delete a post with the id 1337' or '1' = '1. This will expand the executed SQL statement to look like `DELETE FROM... WHERE id='1337' or '1' = '1', which will delete all posts since the WHERE predicate is always true.
The above scenario is just one possible thing an attacker could do. SQL Injection like this can allow the attacker to execute arbitrary SQL code, meaning they now have complete control over your database.
The proper way of referencing variables from within SQL queries is to use parameterized SQL queries. I see that you are using the Zewo PostgreSQL library. They recently added support for parameterized queries after this issue I created: ZewoGraveyard/SQL#1. An example of using parameterized queries with PostgreSQL is here: https://github.com/Zewo/PostgreSQL/blob/master/Examples/main.swift#L25
TODO
Required features
- User table
- Settings table
- Initialize an admin user
- RESTful API
- /api/v1/posts
- /api/v1/users
- /api/v1/settings
- Markdown(showdown)
- Post editor
- Basic site options(maybe stored in a ini/yml/conf/json file?)
- The user can login via a web page(e.g. /admin), and logout or reset password
- CRUD blog posts with Markdown
- Settings
- RSS and ATOM feeds.
- Comments, maybe DISQUS?
- Share to SNS button
Optional
- Travis CI
- Heroku install button
- docker image
- Replace watchdog(Python) with watchman(C)
Build Command
- Check commands used in Makefile existed (http://stackoverflow.com/a/13249595/3164091)
-
initdbfor different platforms
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.