You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zeppelin.apache.org by ku...@apache.org on 2017/07/17 04:45:37 UTC

zeppelin git commit: [ZEPPELIN-2769] Prevent SQL injection for GetUserList.getUserList.

Repository: zeppelin
Updated Branches:
  refs/heads/master 3a57fc293 -> 709c5a70a


[ZEPPELIN-2769] Prevent SQL injection for GetUserList.getUserList.

### What is this PR for?
Prevent SQL injection for ```GetUserList.getUserList```.

### What type of PR is it?
Improvement

### What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-2769

Author: Yanbo Liang <yb...@gmail.com>

Closes #2487 from yanboliang/zeppelin-2769 and squashes the following commits:

d1a7ff9b [Yanbo Liang] Prevent SQL injection for GetUserList.getUserList.


Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/709c5a70
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/709c5a70
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/709c5a70

Branch: refs/heads/master
Commit: 709c5a70a8f37277c9eea0a1c0c9195b5eb21a74
Parents: 3a57fc2
Author: Yanbo Liang <yb...@gmail.com>
Authored: Wed Jul 12 15:25:05 2017 +0800
Committer: 1ambda <1a...@gmail.com>
Committed: Mon Jul 17 13:45:25 2017 +0900

----------------------------------------------------------------------
 .../src/main/java/org/apache/zeppelin/rest/GetUserList.java      | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/zeppelin/blob/709c5a70/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java b/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java
index c0270dd..458d5bd 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java
@@ -231,7 +231,7 @@ public class GetUserList {
         return userlist;
       }
 
-      userquery = "select " + username + " from " + tablename;
+      userquery = "select ? from ?";
 
     } catch (IllegalAccessException e) {
       LOG.error("Error while accessing dataSource for JDBC Realm", e);
@@ -241,6 +241,8 @@ public class GetUserList {
     try {
       Connection con = dataSource.getConnection();
       ps = con.prepareStatement(userquery);
+      ps.setString(1, username);
+      ps.setString(2, tablename);
       rs = ps.executeQuery();
       while (rs.next()) {
         userlist.add(rs.getString(1).trim());