Potential Issue Found: SQL Injection

[bgeesaman]

I've been doing source code analysis of certain types of public repos for a specific classes of problems, and I found a something in your repo from my research that you may want to take a look at.

Specifically:
https://github.com/tm26a21p/Area/blob/d0a7ddc143e69b72d79ac3819ee811727f16e1cd/backend/pkg/controllers/user.go#L43

When using GORM's db.First() method, if the second argument is a string that comes from user input instead of an int, it can provide a SQL Injection opportunity. GORM doesn't escape or automatically parameterize the query in this specific case. See https://gorm.io/docs/security.html#Inline-Condition for more details. The fix is to ensure that the second argument is always an integer or a struct.

Example:

id := c.Param("id")
db.First(&user, id) // If `id` is a string from attacker/user input, GORM performs direct concatenation

Fixed:

id := c.Param("id")
if parsedId, err := strconv.Atoi(id); err == nil {
    db.First(&user, parsedId) // Now `id` is guaranteed to be an integer and GORM handles it safely
} else {
    ... handle the error
}

Note: This research has taken some time to complete, so the commit I'm referencing is a few weeks old. You may have already fixed this issue in a later commit. If so, feel free to ignore/close. Just wanted to give you a heads up as a courtesy in case you found it helpful.