You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@iotdb.apache.org by ro...@apache.org on 2022/05/20 09:59:36 UTC
[iotdb] branch master updated: [Vulnerability] Fix grafana conncetor SQL injection issue (#5969)
This is an automated email from the ASF dual-hosted git repository.
rong pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git
The following commit(s) were added to refs/heads/master by this push:
new 7cfbda95ce [Vulnerability] Fix grafana conncetor SQL injection issue (#5969)
7cfbda95ce is described below
commit 7cfbda95cef7ab0f4d090d84555f56ece3b8735c
Author: CloudWise-Lukemiao <76...@users.noreply.github.com>
AuthorDate: Fri May 20 17:59:30 2022 +0800
[Vulnerability] Fix grafana conncetor SQL injection issue (#5969)
---
.../apache/iotdb/web/grafana/controller/DatabaseConnectController.java | 3 +++
1 file changed, 3 insertions(+)
diff --git a/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/controller/DatabaseConnectController.java b/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/controller/DatabaseConnectController.java
index 788e983b09..f13f7d5a49 100644
--- a/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/controller/DatabaseConnectController.java
+++ b/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/controller/DatabaseConnectController.java
@@ -111,6 +111,9 @@ public class DatabaseConnectController {
continue;
}
String target = object.get(targetStr).getAsString();
+ if (target.contains(";")) {
+ throw new Exception("Only one SQL statement is supported");
+ }
JsonObject obj = new JsonObject();
obj.addProperty("target", target);
String type = getJsonType(object);