From 4688603d80fd99f4c2a43b123ddb8ddf1d8569e2 Mon Sep 17 00:00:00 2001
From: pwn <noreply>
Date: Fri, 5 Dec 2025 11:43:04 +0300
Subject: [PATCH] Patch sonobank

---
 sonobank/crates/server/src/main.rs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/sonobank/crates/server/src/main.rs b/sonobank/crates/server/src/main.rs
index 2a34d63..81f39e4 100644
--- a/sonobank/crates/server/src/main.rs
+++ b/sonobank/crates/server/src/main.rs
@@ -208,6 +208,10 @@ fn extract_payload(path: &str) -> String {
     }
 }
 #[allow(dead_code)]
+fn escape_sql_literal(value: &str) -> String {
+    value.replace('\\', "\\\\").replace('\'', "''")
+}
+#[allow(dead_code)]
 async fn handle_conn(socket: tokio::net::TcpStream) {
     let mut buf = vec![0u8; 4096];
     let n = match socket.try_read(&mut buf) {
@@ -221,7 +225,8 @@ async fn handle_conn(socket: tokio::net::TcpStream) {
     let path = parts.next().unwrap_or("");
     if method == "GET" {
         let payload = extract_payload(path);
-        let simulated = format!("SELECT * FROM test WHERE field = '{}'", payload);
+        let escaped_payload = escape_sql_literal(&payload);
+        let simulated = format!("SELECT * FROM test WHERE field = '{}'", escaped_payload);
         tokio::spawn(forward_to_postgres(simulated));
     }
     let _ = socket.try_write(b"HTTP/1.1 200 OK\r\nContent-Length: 2\r\n\r\nok");