From 37769befc41f484babae41fc358c278ab830e220 Mon Sep 17 00:00:00 2001
From: yedf2 <120050102@qq.com>
Date: Mon, 14 Mar 2022 20:45:38 +0800
Subject: [PATCH] use Escape

---
 dtmcli/barrier.go           |  2 +-
 dtmcli/dtmimp/trans_base.go |  2 +-
 dtmcli/dtmimp/utils.go      | 12 ++++++++++++
 dtmutil/db.go               |  3 +--
 4 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/dtmcli/barrier.go b/dtmcli/barrier.go
index 7bdf1ad..d76ae5b 100644
--- a/dtmcli/barrier.go
+++ b/dtmcli/barrier.go
@@ -38,7 +38,7 @@ func (bb *BranchBarrier) newBarrierID() string {
 
 // BarrierFromQuery construct transaction info from request
 func BarrierFromQuery(qs url.Values) (*BranchBarrier, error) {
-	return BarrierFrom(qs.Get("trans_type"), qs.Get("gid"), qs.Get("branch_id"), qs.Get("op"))
+	return BarrierFrom(dtmimp.EscapeGet(qs, "trans_type"), dtmimp.EscapeGet(qs, "gid"), dtmimp.EscapeGet(qs, "branch_id"), dtmimp.EscapeGet(qs, "op"))
 }
 
 // BarrierFrom construct transaction info from request
diff --git a/dtmcli/dtmimp/trans_base.go b/dtmcli/dtmimp/trans_base.go
index 2dd14b3..a1a136f 100644
--- a/dtmcli/dtmimp/trans_base.go
+++ b/dtmcli/dtmimp/trans_base.go
@@ -87,7 +87,7 @@ func (t *TransBase) WithGlobalTransRequestTimeout(timeout int64) {
 
 // TransBaseFromQuery construct transaction info from request
 func TransBaseFromQuery(qs url.Values) *TransBase {
-	return NewTransBase(qs.Get("gid"), qs.Get("trans_type"), qs.Get("dtm"), qs.Get("branch_id"))
+	return NewTransBase(EscapeGet(qs, "gid"), EscapeGet(qs, "trans_type"), EscapeGet(qs, "dtm"), EscapeGet(qs, "branch_id"))
 }
 
 // TransCallDtm TransBase call dtm
diff --git a/dtmcli/dtmimp/utils.go b/dtmcli/dtmimp/utils.go
index 285d186..2500fc3 100644
--- a/dtmcli/dtmimp/utils.go
+++ b/dtmcli/dtmimp/utils.go
@@ -12,6 +12,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"net/url"
 	"os"
 	"runtime"
 	"strconv"
@@ -235,3 +236,14 @@ func DeferDo(rerr *error, success func() error, fail func() error) {
 		}
 	}()
 }
+
+// Escape solve CodeQL reported problem
+func Escape(input string) string {
+	replacer := strings.NewReplacer("'", "", "\n", "", "\r", "", " ", "")
+	return replacer.Replace(input)
+}
+
+// EscapeGet escape get
+func EscapeGet(qs url.Values, key string) string {
+	return Escape(qs.Get(key))
+}
diff --git a/dtmutil/db.go b/dtmutil/db.go
index 97bfefa..1862870 100644
--- a/dtmutil/db.go
+++ b/dtmutil/db.go
@@ -3,7 +3,6 @@ package dtmutil
 import (
 	"database/sql"
 	"fmt"
-	"strings"
 	"sync"
 	"time"
 
@@ -101,7 +100,7 @@ func DbGet(conf dtmcli.DBConf, ops ...func(*gorm.DB)) *DB {
 	dsn := dtmimp.GetDsn(conf)
 	db, ok := dbs.Load(dsn)
 	if !ok {
-		logger.Debugf("connecting %s", strings.Replace(dsn, conf.Password, "****", 1))
+		logger.Infof("connecting '%s' '%s' '%s' '%d'", conf.Driver, conf.Host, conf.User, conf.Port)
 		db1, err := gorm.Open(getGormDialetor(conf.Driver, dsn), &gorm.Config{
 			SkipDefaultTransaction: true,
 		})