You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@iotdb.apache.org by ro...@apache.org on 2022/05/20 09:59:36 UTC

[iotdb] branch master updated: [Vulnerability] Fix grafana conncetor SQL injection issue (#5969)

This is an automated email from the ASF dual-hosted git repository.

rong pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/iotdb.git


The following commit(s) were added to refs/heads/master by this push:
     new 7cfbda95ce [Vulnerability] Fix grafana conncetor SQL injection issue (#5969)
7cfbda95ce is described below

commit 7cfbda95cef7ab0f4d090d84555f56ece3b8735c
Author: CloudWise-Lukemiao <76...@users.noreply.github.com>
AuthorDate: Fri May 20 17:59:30 2022 +0800

    [Vulnerability] Fix grafana conncetor SQL injection issue (#5969)
---
 .../apache/iotdb/web/grafana/controller/DatabaseConnectController.java | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/controller/DatabaseConnectController.java b/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/controller/DatabaseConnectController.java
index 788e983b09..f13f7d5a49 100644
--- a/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/controller/DatabaseConnectController.java
+++ b/grafana-connector/src/main/java/org/apache/iotdb/web/grafana/controller/DatabaseConnectController.java
@@ -111,6 +111,9 @@ public class DatabaseConnectController {
           continue;
         }
         String target = object.get(targetStr).getAsString();
+        if (target.contains(";")) {
+          throw new Exception("Only one SQL statement is supported");
+        }
         JsonObject obj = new JsonObject();
         obj.addProperty("target", target);
         String type = getJsonType(object);