From ed33718ddf5672b43af9e8aea39393d9bdbdc2fb Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Thu, 7 Nov 2024 17:38:10 +0800
Subject: [PATCH] :lock: SQL injection security vulnerabilities
 https://github.com/siyuan-note/siyuan/issues/13077
 https://github.com/siyuan-note/siyuan/issues/13058

---
 kernel/model/history.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/model/history.go b/kernel/model/history.go
index a91d1c220..fe6d318fa 100644
--- a/kernel/model/history.go
+++ b/kernel/model/history.go
@@ -473,6 +473,10 @@ func buildSearchHistoryQueryFilter(query, op, box, table string, typ int) (stmt
 		stmt += " AND op = '" + op + "'"
 	}
 
+	if "%" != box && !ast.IsNodeIDPattern(box) {
+		box = "%"
+	}
+
 	if HistoryTypeDocName == typ || HistoryTypeDoc == typ || HistoryTypeDocID == typ {
 		if HistoryTypeDocName == typ || HistoryTypeDoc == typ {
 			stmt += " AND path LIKE '%/" + box + "/%' AND path LIKE '%.sy'"