6bdf0d5220
Updated the CreateDocumentAsync method in the DocumentExecutor class to use ToSqlParam() for formatting SQL query parameters. This change improves security by preventing potential SQL injection vulnerabilities associated with direct variable insertion into the SQL string.
29 lines
1.3 KiB
C#
29 lines
1.3 KiB
C#
using Dapper;
|
|
using EnvelopeGenerator.Application.Contracts.SQLExecutor;
|
|
using EnvelopeGenerator.Application.SQL;
|
|
using EnvelopeGenerator.Domain.Entities;
|
|
using Microsoft.Data.SqlClient;
|
|
using Microsoft.Extensions.DependencyInjection;
|
|
using Microsoft.Extensions.Options;
|
|
|
|
namespace EnvelopeGenerator.Infrastructure.Executor;
|
|
|
|
public class DocumentExecutor : SQLExecutor, IDocumentExecutor
|
|
{
|
|
public DocumentExecutor(IServiceProvider provider, IOptions<SQLExecutorParams> sqlExecutorParamsOptions) : base(provider, sqlExecutorParamsOptions)
|
|
{
|
|
}
|
|
|
|
public async Task<EnvelopeDocument> CreateDocumentAsync(string base64, string envelope_uuid, CancellationToken cancellation = default)
|
|
{
|
|
using var connection = new SqlConnection(Params.ConnectionString);
|
|
var sql = Provider.GetRequiredService<DocumentCreateReadSQL>();
|
|
var formattedSql = string.Format(sql.Raw, base64.ToSqlParam(), envelope_uuid.ToSqlParam());
|
|
await connection.OpenAsync(cancellation);
|
|
var documents = await connection.QueryAsync<EnvelopeDocument>(formattedSql);
|
|
return documents.FirstOrDefault()
|
|
?? throw new InvalidOperationException($"Document creation failed. Parameters:" +
|
|
$"base64={base64}, envelope_uuid='{envelope_uuid}'.");
|
|
}
|
|
}
|