You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@skywalking.apache.org by wu...@apache.org on 2020/04/12 06:00:22 UTC
[skywalking] branch cve-sql-injection created (now 2b6aae3)
This is an automated email from the ASF dual-hosted git repository.
wusheng pushed a change to branch cve-sql-injection
in repository https://gitbox.apache.org/repos/asf/skywalking.git.
at 2b6aae3 Fix security issue of the metrics query
This branch includes the following new commits:
new 2b6aae3 Fix security issue of the metrics query
The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
[skywalking] 01/01: Fix security issue of the metrics query
Posted by wu...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
wusheng pushed a commit to branch cve-sql-injection
in repository https://gitbox.apache.org/repos/asf/skywalking.git
commit 2b6aae3b733f9dbeae1d6eff4f1975c723e1e7d1
Author: Wu Sheng <wu...@foxmail.com>
AuthorDate: Sun Apr 12 13:59:39 2020 +0800
Fix security issue of the metrics query
---
.../plugin/jdbc/h2/dao/H2MetricsQueryDAO.java | 55 +++++++++++++---------
1 file changed, 32 insertions(+), 23 deletions(-)
diff --git a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetricsQueryDAO.java b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetricsQueryDAO.java
index 8972d05..4ab5ca3 100644
--- a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetricsQueryDAO.java
+++ b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetricsQueryDAO.java
@@ -109,20 +109,24 @@ public class H2MetricsQueryDAO extends H2SQLExecutor implements IMetricsQueryDAO
@Override
public IntValues getLinearIntValues(String tableName, DownSampling downsampling, List<String> ids,
String valueCName) throws IOException {
- StringBuilder idValues = new StringBuilder();
- for (int valueIdx = 0; valueIdx < ids.size(); valueIdx++) {
- if (valueIdx != 0) {
- idValues.append(",");
+ StringBuilder sql = new StringBuilder("select id, " + valueCName + " from " + tableName + " where id in (");
+ List<Object> parameters = new ArrayList();
+ for (int i = 0; i < ids.size(); i++) {
+ if (i == 0) {
+ sql.append("?");
+ } else {
+ sql.append(",?");
}
- idValues.append("'").append(ids.get(valueIdx)).append("'");
+ parameters.add(ids.get(i));
}
+ sql.append(")");
IntValues intValues = new IntValues();
try (Connection connection = h2Client.getConnection()) {
+
try (ResultSet resultSet = h2Client.executeQuery(
- connection, "select id, " + valueCName + " from " + tableName + " where id in (" + idValues
- .toString() + ")")) {
+ connection, sql.toString(), parameters.toArray(new Object[0]))) {
while (resultSet.next()) {
KVInt kv = new KVInt();
kv.setId(resultSet.getString("id"));
@@ -143,13 +147,17 @@ public class H2MetricsQueryDAO extends H2SQLExecutor implements IMetricsQueryDAO
List<String> ids,
final List<Integer> linearIndex,
String valueCName) throws IOException {
- StringBuilder idValues = new StringBuilder();
- for (int valueIdx = 0; valueIdx < ids.size(); valueIdx++) {
- if (valueIdx != 0) {
- idValues.append(",");
+ StringBuilder sql = new StringBuilder("select id, " + valueCName + " from " + tableName + " where id in (");
+ List<Object> parameters = new ArrayList();
+ for (int i = 0; i < ids.size(); i++) {
+ if (i == 0) {
+ sql.append("?");
+ } else {
+ sql.append(",?");
}
- idValues.append("'").append(ids.get(valueIdx)).append("'");
+ parameters.add(ids.get(i));
}
+ sql.append(")");
IntValues[] intValuesArray = new IntValues[linearIndex.size()];
for (int i = 0; i < intValuesArray.length; i++) {
@@ -158,8 +166,7 @@ public class H2MetricsQueryDAO extends H2SQLExecutor implements IMetricsQueryDAO
try (Connection connection = h2Client.getConnection()) {
try (ResultSet resultSet = h2Client.executeQuery(
- connection, "select id, " + valueCName + " from " + tableName + " where id in (" + idValues
- .toString() + ")")) {
+ connection, sql.toString(), parameters.toArray(new Object[0]))) {
while (resultSet.next()) {
String id = resultSet.getString("id");
@@ -211,13 +218,18 @@ public class H2MetricsQueryDAO extends H2SQLExecutor implements IMetricsQueryDAO
@Override
public Thermodynamic getThermodynamic(String tableName, DownSampling downsampling, List<String> ids,
String valueCName) throws IOException {
- StringBuilder idValues = new StringBuilder();
- for (int valueIdx = 0; valueIdx < ids.size(); valueIdx++) {
- if (valueIdx != 0) {
- idValues.append(",");
+ StringBuilder sql = new StringBuilder(
+ "select " + ThermodynamicMetrics.STEP + " step, " + ThermodynamicMetrics.NUM_OF_STEPS + " num_of_steps, " + ThermodynamicMetrics.DETAIL_GROUP + " detail_group, " + "id " + " from " + tableName + " where id in (");
+ List<Object> parameters = new ArrayList();
+ for (int i = 0; i < ids.size(); i++) {
+ if (i == 0) {
+ sql.append("?");
+ } else {
+ sql.append(",?");
}
- idValues.append("'").append(ids.get(valueIdx)).append("'");
+ parameters.add(ids.get(i));
}
+ sql.append(")");
List<List<Long>> thermodynamicValueCollection = new ArrayList<>();
Map<String, List<Long>> thermodynamicValueMatrix = new HashMap<>();
@@ -227,10 +239,7 @@ public class H2MetricsQueryDAO extends H2SQLExecutor implements IMetricsQueryDAO
int numOfSteps = 0;
int axisYStep = 0;
try (ResultSet resultSet = h2Client.executeQuery(
- connection,
- "select " + ThermodynamicMetrics.STEP + " step, " + ThermodynamicMetrics.NUM_OF_STEPS + " num_of_steps, " + ThermodynamicMetrics.DETAIL_GROUP + " detail_group, " + "id " + " from " + tableName + " where id in (" + idValues
- .toString() + ")"
- )) {
+ connection, sql.toString(), parameters.toArray(new Object[0]))) {
while (resultSet.next()) {
axisYStep = resultSet.getInt("step");