You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@kylin.apache.org by ni...@apache.org on 2020/02/07 08:04:39 UTC

[kylin] 12/15: Validate uuid to prevent sql injection

This is an automated email from the ASF dual-hosted git repository.

nic pushed a commit to branch 2.6.x
in repository https://gitbox.apache.org/repos/asf/kylin.git

commit 5fbb6c9c3780d7384c8f1dc378b96bb9c43cfdbe
Author: nichunen <ni...@apache.org>
AuthorDate: Thu Jan 23 11:23:10 2020 +0800

    Validate uuid to prevent sql injection
---
 .../main/java/org/apache/kylin/rest/security/AclEntityFactory.java  | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/server-base/src/main/java/org/apache/kylin/rest/security/AclEntityFactory.java b/server-base/src/main/java/org/apache/kylin/rest/security/AclEntityFactory.java
index c799b0a..47f797b 100644
--- a/server-base/src/main/java/org/apache/kylin/rest/security/AclEntityFactory.java
+++ b/server-base/src/main/java/org/apache/kylin/rest/security/AclEntityFactory.java
@@ -18,6 +18,8 @@
 
 package org.apache.kylin.rest.security;
 
+import java.util.UUID;
+
 import org.apache.kylin.common.persistence.RootPersistentEntity;
 import org.apache.kylin.cube.CubeInstance;
 import org.apache.kylin.job.JobInstance;
@@ -30,6 +32,10 @@ import org.apache.kylin.metadata.project.ProjectInstance;
 public class AclEntityFactory implements AclEntityType {
 
     public static RootPersistentEntity createAclEntity(String entityType, String uuid) {
+        // Validate the uuid first, exception will be thrown if the uuid string is not a valid uuid
+        UUID uuidObj = UUID.fromString(uuid);
+        uuid = uuidObj.toString();
+
         if (CUBE_INSTANCE.equals(entityType)) {
             CubeInstance cubeInstance = new CubeInstance();
             cubeInstance.setUuid(uuid);