You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@iotdb.apache.org by er...@apache.org on 2022/04/08 08:44:34 UTC

[iotdb] branch master updated: [IOTDB-2862] Fix SQL injection risks of grafana-connector (#5450)

This is an automated email from the ASF dual-hosted git repository.

ericpai pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git


The following commit(s) were added to refs/heads/master by this push:
     new edad9ddf0d [IOTDB-2862] Fix SQL injection risks of grafana-connector (#5450)
edad9ddf0d is described below

commit edad9ddf0d6cc69ee29a9cd9410c5681af53ac56
Author: BaiJian <er...@hotmail.com>
AuthorDate: Fri Apr 8 16:44:29 2022 +0800

    [IOTDB-2862] Fix SQL injection risks of grafana-connector (#5450)
---
 .../controller/DatabaseConnectController.java      |  3 +-
 .../iotdb/web/grafana/dao/impl/BasicDaoImpl.java   | 43 +++++++++++-----------
 2 files changed, 24 insertions(+), 22 deletions(-)

diff --git a/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/controller/DatabaseConnectController.java b/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/controller/DatabaseConnectController.java
index 135ecfcec4..788e983b09 100644
--- a/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/controller/DatabaseConnectController.java
+++ b/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/controller/DatabaseConnectController.java
@@ -30,6 +30,7 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -92,7 +93,7 @@ public class DatabaseConnectController {
    *
    * @return data in JSON format
    */
-  @RequestMapping(value = "/query")
+  @RequestMapping(value = "/query", produces = MediaType.APPLICATION_JSON_UTF8_VALUE)
   @ResponseBody
   public String query(@RequestBody String json) {
     String targetStr = "target";
diff --git a/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/dao/impl/BasicDaoImpl.java b/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/dao/impl/BasicDaoImpl.java
index bd3cb166c6..dc68618d4b 100644
--- a/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/dao/impl/BasicDaoImpl.java
+++ b/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/dao/impl/BasicDaoImpl.java
@@ -132,34 +132,35 @@ public class BasicDaoImpl implements BasicDao {
     long to = zonedCovertToLong(timeRange.right);
     final long hours = Duration.between(timeRange.left, timeRange.right).toHours();
 
-    String sql =
-        String.format(
-            "SELECT %s FROM root.%s WHERE time > %d and time < %d",
-            s.substring(s.lastIndexOf('.') + 1),
-            s.substring(0, s.lastIndexOf('.')),
-            from * timestampRadioX,
-            to * timestampRadioX);
+    String sql = "SELECT ? FROM root.? WHERE time > ? and time < ?";
+    Object[] params =
+        new Object[] {
+          s.substring(s.lastIndexOf('.') + 1),
+          s.substring(0, s.lastIndexOf('.')),
+          from * timestampRadioX,
+          to * timestampRadioX,
+        };
     String columnName = "root." + s;
 
     String intervalLocal = getInterval(hours);
     if (!"".equals(intervalLocal)) {
-      sql =
-          String.format(
-              "SELECT "
-                  + function
-                  + "(%s) FROM root.%s WHERE time > %d and time < %d group by ([%d, %d),%s)",
-              s.substring(s.lastIndexOf('.') + 1),
-              s.substring(0, s.lastIndexOf('.')),
-              from * timestampRadioX,
-              to * timestampRadioX,
-              from * timestampRadioX,
-              to * timestampRadioX,
-              intervalLocal);
+      sql = "SELECT ?(?) FROM root.? WHERE time > ? and time < ? group by ([?, ?),?)";
+      params =
+          new Object[] {
+            function,
+            s.substring(s.lastIndexOf('.') + 1),
+            s.substring(0, s.lastIndexOf('.')),
+            from * timestampRadioX,
+            to * timestampRadioX,
+            from * timestampRadioX,
+            to * timestampRadioX,
+            intervalLocal
+          };
       columnName = function + "(root." + s + ")";
     }
 
-    logger.info(sql);
-    return jdbcTemplate.query(sql, new TimeValuesRowMapper(columnName));
+    logger.info("SQL: {}, Params: {}", sql, params);
+    return jdbcTemplate.query(sql, params, new TimeValuesRowMapper(columnName));
   }
 
   public String getInterval(final long hours) {