You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kylin.apache.org by li...@apache.org on 2017/07/03 08:08:29 UTC
[14/27] kylin git commit: KYLIN-2696 Check SQL injection in filter
condition
KYLIN-2696 Check SQL injection in filter condition
Project: http://git-wip-us.apache.org/repos/asf/kylin/repo
Commit: http://git-wip-us.apache.org/repos/asf/kylin/commit/2546e00c
Tree: http://git-wip-us.apache.org/repos/asf/kylin/tree/2546e00c
Diff: http://git-wip-us.apache.org/repos/asf/kylin/diff/2546e00c
Branch: refs/heads/master
Commit: 2546e00cf2f80b0f8abba9ec3cfe9a0fbce5cb4f
Parents: e7f9dab
Author: Xiaqing <45...@qq.com>
Authored: Fri Jun 30 09:42:07 2017 +0800
Committer: liyang-gmt8 <li...@apache.org>
Committed: Fri Jun 30 09:42:07 2017 +0800
----------------------------------------------------------------------
.../kylin/metadata/model/DataModelDesc.java | 43 ++++++++++++++++++++
1 file changed, 43 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/kylin/blob/2546e00c/core-metadata/src/main/java/org/apache/kylin/metadata/model/DataModelDesc.java
----------------------------------------------------------------------
diff --git a/core-metadata/src/main/java/org/apache/kylin/metadata/model/DataModelDesc.java b/core-metadata/src/main/java/org/apache/kylin/metadata/model/DataModelDesc.java
index 91802f7..341f36e 100644
--- a/core-metadata/src/main/java/org/apache/kylin/metadata/model/DataModelDesc.java
+++ b/core-metadata/src/main/java/org/apache/kylin/metadata/model/DataModelDesc.java
@@ -352,6 +352,7 @@ public class DataModelDesc extends RootPersistentEntity {
initDimensionsAndMetrics();
initPartitionDesc();
initComputedColumns(ccInfoMap);
+ initFilterCondition();
boolean reinit = validate();
if (reinit) { // model slightly changed by validate() and must init() again
@@ -505,6 +506,48 @@ public class DataModelDesc extends RootPersistentEntity {
}
}
+ //Check if the filter condition is illegal.
+ private void initFilterCondition() {
+ if (null == this.filterCondition) {
+ return;
+ }
+ int quotationType = 0;
+ int len = this.filterCondition.length();
+ for (int i = 0; i < len; i++) {
+ //If a ';' which is not within a string is found, throw exception.
+ if (';' == this.filterCondition.charAt(i) && 0 == quotationType) {
+ throw new IllegalStateException(
+ "Filter Condition is Illegal. Please check it and make sure it's an appropriate expression for WHERE clause");
+ }
+ if ('\'' == this.filterCondition.charAt(i)) {
+ if (quotationType > 0) {
+ if (1 == quotationType) {
+ quotationType = 0;
+ continue;
+ }
+ } else {
+ if (0 == quotationType) {
+ quotationType = 1;
+ continue;
+ }
+ }
+ }
+ if ('"' == this.filterCondition.charAt(i)) {
+ if (quotationType > 0) {
+ if (2 == quotationType) {
+ quotationType = 0;
+ continue;
+ }
+ } else {
+ if (0 == quotationType) {
+ quotationType = 2;
+ continue;
+ }
+ }
+ }
+ }
+ }
+
private void checkSameCCDefinition(Map<String, CCInfo> ccInfoMap, ComputedColumnDesc thisCCDesc,
String thisCCName) {
//check whether two computer columns's definition is the same.