You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@phoenix.apache.org by sa...@apache.org on 2017/02/14 23:41:58 UTC
[09/50] [abbrv] phoenix git commit: PHOENIX-3613 Avoid possible SQL
Injection with proper input validations(Rajeshbabu)
PHOENIX-3613 Avoid possible SQL Injection with proper input validations(Rajeshbabu)
Project: http://git-wip-us.apache.org/repos/asf/phoenix/repo
Commit: http://git-wip-us.apache.org/repos/asf/phoenix/commit/2fd9b086
Tree: http://git-wip-us.apache.org/repos/asf/phoenix/tree/2fd9b086
Diff: http://git-wip-us.apache.org/repos/asf/phoenix/diff/2fd9b086
Branch: refs/heads/encodecolumns2
Commit: 2fd9b08614606004f56fa19885406e97e7e4ea80
Parents: 88078fd
Author: Rajeshbabu Chintaguntla <ra...@apache.org>
Authored: Fri Jan 20 23:13:32 2017 +0530
Committer: Rajeshbabu Chintaguntla <ra...@apache.org>
Committed: Fri Jan 20 23:13:32 2017 +0530
----------------------------------------------------------------------
.../tracingwebapp/http/EntityFactory.java | 19 +-----------------
.../tracingwebapp/http/TraceServlet.java | 21 ++++++++++++++++++--
2 files changed, 20 insertions(+), 20 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/phoenix/blob/2fd9b086/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/EntityFactory.java
----------------------------------------------------------------------
diff --git a/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/EntityFactory.java b/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/EntityFactory.java
index afb6312..a17630d 100644
--- a/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/EntityFactory.java
+++ b/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/EntityFactory.java
@@ -39,29 +39,12 @@ public class EntityFactory {
this.connection = connection;
}
- public Map<String, Object> findSingle(Object[] params) throws SQLException {
- List<Map<String, Object>> objects = this.findMultiple(params);
-
- if (objects.size() != 1) {
- throw new SQLException("Query did not produce one object it produced: "
- + objects.size() + " objects.");
- }
-
- Map<String, Object> object = objects.get(0); // get first record;
-
- return object;
- }
-
- public List<Map<String, Object>> findMultiple(Object[] params)
+ public List<Map<String, Object>> findMultiple()
throws SQLException {
ResultSet rs = null;
PreparedStatement ps = null;
try {
ps = this.connection.prepareStatement(this.queryString);
- for (int i = 0; i < params.length; ++i) {
- ps.setObject(1, params[i]);
- }
-
rs = ps.executeQuery();
return getEntitiesFromResultSet(rs);
} catch (SQLException e) {
http://git-wip-us.apache.org/repos/asf/phoenix/blob/2fd9b086/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/TraceServlet.java
----------------------------------------------------------------------
diff --git a/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/TraceServlet.java b/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/TraceServlet.java
index de047ba..c20b20d 100755
--- a/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/TraceServlet.java
+++ b/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/TraceServlet.java
@@ -25,7 +25,7 @@ import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.codehaus.jackson.map.ObjectMapper;
-
+import org.apache.phoenix.metrics.MetricInfo;
import java.sql.Connection;
import java.sql.SQLException;
import java.util.List;
@@ -82,6 +82,11 @@ public class TraceServlet extends HttpServlet {
if(limit == null) {
limit = DEFAULT_LIMIT;
}
+ try{
+ Long.parseLong(limit);
+ } catch (NumberFormatException e) {
+ throw new RuntimeException("The LIMIT passed to the query is not a number.", e);
+ }
String sqlQuery = "SELECT * FROM " + TRACING_TABLE + " LIMIT "+limit;
json = getResults(sqlQuery);
return getJson(json);
@@ -93,6 +98,8 @@ public class TraceServlet extends HttpServlet {
if(countby == null) {
countby = DEFAULT_COUNTBY;
}
+ // Throws exception if the column not present in the trace table.
+ MetricInfo.getColumnName(countby.toLowerCase());
String sqlQuery = "SELECT "+countby+", COUNT(*) AS count FROM " + TRACING_TABLE + " GROUP BY "+countby+" HAVING COUNT(*) > 1 ";
json = getResults(sqlQuery);
return json;
@@ -102,6 +109,16 @@ public class TraceServlet extends HttpServlet {
protected String searchTrace(String parentId, String traceId,String logic) {
String json = null;
String query = null;
+ // Check the parent Id, trace id type or long or not.
+ try {
+ Long.parseLong(parentId);
+ Long.parseLong(traceId);
+ } catch (NumberFormatException e) {
+ throw new RuntimeException("The passed parentId/traceId is not a number.", e);
+ }
+ if(!logic.equals(LOGIC_AND) || !logic.equals(LOGIC_OR)) {
+ throw new RuntimeException("Wrong logical operator passed to the query. Only "+ LOGIC_AND+","+LOGIC_OR+" are allowed.") ;
+ }
if(parentId != null && traceId != null) {
query = "SELECT * FROM " + TRACING_TABLE + " WHERE parent_id="+parentId+" "+logic+" trace_id="+traceId;
}else if (parentId != null && traceId == null) {
@@ -132,7 +149,7 @@ public class TraceServlet extends HttpServlet {
con = ConnectionFactory.getConnection();
EntityFactory nutrientEntityFactory = new EntityFactory(con,sqlQuery);
List<Map<String, Object>> nutrients = nutrientEntityFactory
- .findMultiple(new Object[] {});
+ .findMultiple();
ObjectMapper mapper = new ObjectMapper();
json = mapper.writeValueAsString(nutrients);
} catch (Exception e) {