You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kylin.apache.org by ni...@apache.org on 2020/02/07 08:04:30 UTC

[kylin] 03/15: Ensure the validity of http header from concated string

This is an automated email from the ASF dual-hosted git repository.

nic pushed a commit to branch 2.6.x
in repository https://gitbox.apache.org/repos/asf/kylin.git

commit b2c529df507e5a5b8447908d4405e1d9ceacf9f1
Author: nichunen <ni...@apache.org>
AuthorDate: Mon Jan 13 13:17:15 2020 +0800

    Ensure the validity of http header from concated string
---
 .../java/org/apache/kylin/rest/controller/CubeController.java  |  3 ++-
 .../java/org/apache/kylin/rest/controller/QueryController.java | 10 ++++++----
 .../src/main/java/org/apache/kylin/rest/util/ValidateUtil.java |  8 ++++++--
 3 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/server-base/src/main/java/org/apache/kylin/rest/controller/CubeController.java b/server-base/src/main/java/org/apache/kylin/rest/controller/CubeController.java
index f664e66..dceb39d 100644
--- a/server-base/src/main/java/org/apache/kylin/rest/controller/CubeController.java
+++ b/server-base/src/main/java/org/apache/kylin/rest/controller/CubeController.java
@@ -852,7 +852,8 @@ public class CubeController extends BasicController {
         }
 
         response.setContentType("text/json;charset=utf-8");
-        response.setHeader("Content-Disposition", "attachment; filename=\"" + cubeName + ".json\"");
+        response.setHeader("Content-Disposition",
+                "attachment; filename=\"" + ValidateUtil.convertStringToBeAlphanumericUnderscore(cubeName) + ".json\"");
         try (PrintWriter writer = response.getWriter()) {
             writer.write(JsonUtil.writeValueAsString(dimensionSetList));
         } catch (IOException e) {
diff --git a/server-base/src/main/java/org/apache/kylin/rest/controller/QueryController.java b/server-base/src/main/java/org/apache/kylin/rest/controller/QueryController.java
index 6b56e91..da0a1e5 100644
--- a/server-base/src/main/java/org/apache/kylin/rest/controller/QueryController.java
+++ b/server-base/src/main/java/org/apache/kylin/rest/controller/QueryController.java
@@ -49,6 +49,7 @@ import org.apache.kylin.rest.request.SQLRequest;
 import org.apache.kylin.rest.request.SaveSqlRequest;
 import org.apache.kylin.rest.response.SQLResponse;
 import org.apache.kylin.rest.service.QueryService;
+import org.apache.kylin.rest.util.ValidateUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -77,14 +78,13 @@ public class QueryController extends BasicController {
 
     @SuppressWarnings("unused")
     private static final Logger logger = LoggerFactory.getLogger(QueryController.class);
-
+    private static String BOM_CHARACTER;
     @Autowired
     @Qualifier("queryService")
     private QueryService queryService;
 
-    private static String BOM_CHARACTER;
     {
-        BOM_CHARACTER = new String(new byte[]{(byte) 0xEF, (byte) 0xBB, (byte) 0xBF}, StandardCharsets.UTF_8);
+        BOM_CHARACTER = new String(new byte[] { (byte) 0xEF, (byte) 0xBB, (byte) 0xBF }, StandardCharsets.UTF_8);
     }
 
     @RequestMapping(value = "/query", method = RequestMethod.POST, produces = { "application/json" })
@@ -148,7 +148,9 @@ public class QueryController extends BasicController {
         SimpleDateFormat sdf = new SimpleDateFormat("yyyyMMddHHmmssSSS", Locale.ROOT);
         Date now = new Date();
         String nowStr = sdf.format(now);
-        response.setHeader("Content-Disposition", "attachment; filename=\"" + nowStr + ".result." + format + "\"");
+        response.setHeader("Content-Disposition",
+                "attachment; filename=\"" + ValidateUtil.convertStringToBeAlphanumericUnderscore(nowStr) + ".result."
+                        + ValidateUtil.convertStringToBeAlphanumericUnderscore(format) + "\"");
         ICsvListWriter csvWriter = null;
 
         try {
diff --git a/server-base/src/main/java/org/apache/kylin/rest/util/ValidateUtil.java b/server-base/src/main/java/org/apache/kylin/rest/util/ValidateUtil.java
index 1d56a71..bda2628 100644
--- a/server-base/src/main/java/org/apache/kylin/rest/util/ValidateUtil.java
+++ b/server-base/src/main/java/org/apache/kylin/rest/util/ValidateUtil.java
@@ -50,7 +50,7 @@ import com.google.common.base.Preconditions;
 
 @Component("validateUtil")
 public class ValidateUtil {
-    private final static Pattern alphaNumUnderscorePattren = Pattern.compile("[a-zA-Z0-9_]+");
+    private final static Pattern alphaNumUnderscorePattern = Pattern.compile("[a-zA-Z0-9_]+");
 
     @Autowired
     @Qualifier("tableService")
@@ -73,7 +73,11 @@ public class ValidateUtil {
     private IUserGroupService userGroupService;
 
     public static boolean isAlphanumericUnderscore(String toCheck) {
-        return toCheck == null ? false : alphaNumUnderscorePattren.matcher(toCheck).matches();
+        return toCheck != null && alphaNumUnderscorePattern.matcher(toCheck).matches();
+    }
+
+    public static String convertStringToBeAlphanumericUnderscore(String toBeConverted) {
+        return toBeConverted.replaceAll("[^a-zA-Z0-9_]", "");
     }
 
     public void checkIdentifiersExists(String name, boolean isPrincipal) throws IOException {