You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@iotdb.apache.org by er...@apache.org on 2022/04/08 08:44:34 UTC
[iotdb] branch master updated: [IOTDB-2862] Fix SQL injection risks of grafana-connector (#5450)
This is an automated email from the ASF dual-hosted git repository.
ericpai pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new edad9ddf0d [IOTDB-2862] Fix SQL injection risks of grafana-connector (#5450)
edad9ddf0d is described below
commit edad9ddf0d6cc69ee29a9cd9410c5681af53ac56
Author: BaiJian <er...@hotmail.com>
AuthorDate: Fri Apr 8 16:44:29 2022 +0800
[IOTDB-2862] Fix SQL injection risks of grafana-connector (#5450)
---
.../controller/DatabaseConnectController.java | 3 +-
.../iotdb/web/grafana/dao/impl/BasicDaoImpl.java | 43 +++++++++++-----------
2 files changed, 24 insertions(+), 22 deletions(-)
diff --git a/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/controller/DatabaseConnectController.java b/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/controller/DatabaseConnectController.java
index 135ecfcec4..788e983b09 100644
--- a/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/controller/DatabaseConnectController.java
+++ b/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/controller/DatabaseConnectController.java
@@ -30,6 +30,7 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.CrossOrigin;
import org.springframework.web.bind.annotation.RequestBody;
@@ -92,7 +93,7 @@ public class DatabaseConnectController {
*
* @return data in JSON format
*/
- @RequestMapping(value = "/query")
+ @RequestMapping(value = "/query", produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
@ResponseBody
public String query(@RequestBody String json) {
String targetStr = "target";
diff --git a/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/dao/impl/BasicDaoImpl.java b/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/dao/impl/BasicDaoImpl.java
index bd3cb166c6..dc68618d4b 100644
--- a/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/dao/impl/BasicDaoImpl.java
+++ b/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/dao/impl/BasicDaoImpl.java
@@ -132,34 +132,35 @@ public class BasicDaoImpl implements BasicDao {
long to = zonedCovertToLong(timeRange.right);
final long hours = Duration.between(timeRange.left, timeRange.right).toHours();
- String sql =
- String.format(
- "SELECT %s FROM root.%s WHERE time > %d and time < %d",
- s.substring(s.lastIndexOf('.') + 1),
- s.substring(0, s.lastIndexOf('.')),
- from * timestampRadioX,
- to * timestampRadioX);
+ String sql = "SELECT ? FROM root.? WHERE time > ? and time < ?";
+ Object[] params =
+ new Object[] {
+ s.substring(s.lastIndexOf('.') + 1),
+ s.substring(0, s.lastIndexOf('.')),
+ from * timestampRadioX,
+ to * timestampRadioX,
+ };
String columnName = "root." + s;
String intervalLocal = getInterval(hours);
if (!"".equals(intervalLocal)) {
- sql =
- String.format(
- "SELECT "
- + function
- + "(%s) FROM root.%s WHERE time > %d and time < %d group by ([%d, %d),%s)",
- s.substring(s.lastIndexOf('.') + 1),
- s.substring(0, s.lastIndexOf('.')),
- from * timestampRadioX,
- to * timestampRadioX,
- from * timestampRadioX,
- to * timestampRadioX,
- intervalLocal);
+ sql = "SELECT ?(?) FROM root.? WHERE time > ? and time < ? group by ([?, ?),?)";
+ params =
+ new Object[] {
+ function,
+ s.substring(s.lastIndexOf('.') + 1),
+ s.substring(0, s.lastIndexOf('.')),
+ from * timestampRadioX,
+ to * timestampRadioX,
+ from * timestampRadioX,
+ to * timestampRadioX,
+ intervalLocal
+ };
columnName = function + "(root." + s + ")";
}
- logger.info(sql);
- return jdbcTemplate.query(sql, new TimeValuesRowMapper(columnName));
+ logger.info("SQL: {}, Params: {}", sql, params);
+ return jdbcTemplate.query(sql, params, new TimeValuesRowMapper(columnName));
}
public String getInterval(final long hours) {