You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kylin.apache.org by ni...@apache.org on 2020/02/07 08:04:39 UTC
[kylin] 12/15: Validate uuid to prevent sql injection
This is an automated email from the ASF dual-hosted git repository.
nic pushed a commit to branch 2.6.x
in repository https://gitbox.apache.org/repos/asf/kylin.git
commit 5fbb6c9c3780d7384c8f1dc378b96bb9c43cfdbe
Author: nichunen <ni...@apache.org>
AuthorDate: Thu Jan 23 11:23:10 2020 +0800
Validate uuid to prevent sql injection
---
.../main/java/org/apache/kylin/rest/security/AclEntityFactory.java | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/server-base/src/main/java/org/apache/kylin/rest/security/AclEntityFactory.java b/server-base/src/main/java/org/apache/kylin/rest/security/AclEntityFactory.java
index c799b0a..47f797b 100644
--- a/server-base/src/main/java/org/apache/kylin/rest/security/AclEntityFactory.java
+++ b/server-base/src/main/java/org/apache/kylin/rest/security/AclEntityFactory.java
@@ -18,6 +18,8 @@
package org.apache.kylin.rest.security;
+import java.util.UUID;
+
import org.apache.kylin.common.persistence.RootPersistentEntity;
import org.apache.kylin.cube.CubeInstance;
import org.apache.kylin.job.JobInstance;
@@ -30,6 +32,10 @@ import org.apache.kylin.metadata.project.ProjectInstance;
public class AclEntityFactory implements AclEntityType {
public static RootPersistentEntity createAclEntity(String entityType, String uuid) {
+ // Validate the uuid first, exception will be thrown if the uuid string is not a valid uuid
+ UUID uuidObj = UUID.fromString(uuid);
+ uuid = uuidObj.toString();
+
if (CUBE_INSTANCE.equals(entityType)) {
CubeInstance cubeInstance = new CubeInstance();
cubeInstance.setUuid(uuid);