You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@linkis.apache.org by pe...@apache.org on 2022/10/19 02:42:38 UTC
[incubator-linkis] branch dev-1.3.1 updated: fix sql-injection risk in linkis-data-source-manager and linkis-metadataquery (#3631)
This is an automated email from the ASF dual-hosted git repository.
peacewong pushed a commit to branch dev-1.3.1
in repository https://gitbox.apache.org/repos/asf/incubator-linkis.git
The following commit(s) were added to refs/heads/dev-1.3.1 by this push:
new f50fd071c fix sql-injection risk in linkis-data-source-manager and linkis-metadataquery (#3631)
f50fd071c is described below
commit f50fd071c30548c2168ee1cd4feb55e10cc08c0f
Author: huangKai-2323 <62...@users.noreply.github.com>
AuthorDate: Wed Oct 19 10:42:33 2022 +0800
fix sql-injection risk in linkis-data-source-manager and linkis-metadataquery (#3631)
---
.../query/server/restful/MetadataCoreRestful.java | 52 ++++++++++++++++++++++
.../query/server/restful/MetadataQueryRestful.java | 51 ++++++++++++++++++++-
.../metadata/query/server/utils/MetadataUtils.java | 7 +++
3 files changed, 109 insertions(+), 1 deletion(-)
diff --git a/linkis-public-enhancements/linkis-datasource/linkis-metadata-query/server/src/main/java/org/apache/linkis/metadata/query/server/restful/MetadataCoreRestful.java b/linkis-public-enhancements/linkis-datasource/linkis-metadata-query/server/src/main/java/org/apache/linkis/metadata/query/server/restful/MetadataCoreRestful.java
index d8ee38daa..c454918bc 100644
--- a/linkis-public-enhancements/linkis-datasource/linkis-metadata-query/server/src/main/java/org/apache/linkis/metadata/query/server/restful/MetadataCoreRestful.java
+++ b/linkis-public-enhancements/linkis-datasource/linkis-metadata-query/server/src/main/java/org/apache/linkis/metadata/query/server/restful/MetadataCoreRestful.java
@@ -23,6 +23,7 @@ import org.apache.linkis.metadata.query.common.domain.MetaColumnInfo;
import org.apache.linkis.metadata.query.common.domain.MetaPartitionInfo;
import org.apache.linkis.metadata.query.common.exception.MetaMethodInvokeException;
import org.apache.linkis.metadata.query.server.service.MetadataQueryService;
+import org.apache.linkis.metadata.query.server.utils.MetadataUtils;
import org.apache.linkis.server.Message;
import org.apache.linkis.server.security.SecurityFilter;
@@ -38,6 +39,7 @@ import org.slf4j.LoggerFactory;
import java.util.List;
import java.util.Map;
+import java.util.regex.Matcher;
@RestController
@RequestMapping(value = "/metadatamanager")
@@ -57,6 +59,10 @@ public class MetadataCoreRestful {
if (StringUtils.isBlank(system)) {
return Message.error("'system' is missing[缺少系统名]");
}
+ if (!MetadataUtils.nameRegexPattern.matcher(dataSourceId).matches()) {
+ return Message.error("'dataSourceId' is invalid[数据源错误]");
+ }
+
List<String> databases =
metadataAppService.getDatabasesByDsId(
dataSourceId, system, SecurityFilter.getLoginUsername(request));
@@ -82,6 +88,12 @@ public class MetadataCoreRestful {
if (StringUtils.isBlank(system)) {
return Message.error("'system' is missing[缺少系统名]");
}
+ if (!MetadataUtils.nameRegexPattern.matcher(database).matches()) {
+ return Message.error("'database' is invalid[数据库名称错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(dataSourceId).matches()) {
+ return Message.error("'dataSourceId' is invalid[数据源错误]");
+ }
List<String> tables =
metadataAppService.getTablesByDsId(
dataSourceId,
@@ -116,6 +128,16 @@ public class MetadataCoreRestful {
if (StringUtils.isBlank(system)) {
return Message.error("'system' is missing[缺少系统名]");
}
+ if (!MetadataUtils.nameRegexPattern.matcher(database).matches()) {
+ return Message.error("'database' is invalid[数据库名错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(table).matches()) {
+ return Message.error("'table' is invalid[表名错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(dataSourceId).matches()) {
+ return Message.error("'dataSourceId' is invalid[数据源错误]");
+ }
+
Map<String, String> tableProps =
metadataAppService.getTablePropsByDsId(
dataSourceId,
@@ -156,6 +178,15 @@ public class MetadataCoreRestful {
if (StringUtils.isBlank(system)) {
return Message.error("'system' is missing[缺少系统名]");
}
+ if (!MetadataUtils.nameRegexPattern.matcher(database).matches()) {
+ return Message.error("'database' is invalid[数据库名错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(table).matches()) {
+ return Message.error("'table' is invalid[表名错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(dataSourceId).matches()) {
+ return Message.error("'dataSourceId' is invalid[数据源错误]");
+ }
MetaPartitionInfo partitionInfo =
metadataAppService.getPartitionsByDsId(
dataSourceId,
@@ -195,6 +226,18 @@ public class MetadataCoreRestful {
if (StringUtils.isBlank(system)) {
return Message.error("'system' is missing[缺少系统名]");
}
+ if (!MetadataUtils.nameRegexPattern.matcher(database).matches()) {
+ return Message.error("'database' is invalid[数据库名错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(table).matches()) {
+ return Message.error("'table' is invalid[表名错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(dataSourceId).matches()) {
+ return Message.error("'dataSourceId' is invalid[数据源错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(partition).matches()) {
+ return Message.error("'partition' is invalid[partition错误]");
+ }
Map<String, String> partitionProps =
metadataAppService.getPartitionPropsByDsId(
dataSourceId,
@@ -235,6 +278,15 @@ public class MetadataCoreRestful {
if (StringUtils.isBlank(system)) {
return Message.error("'system' is missing[缺少系统名]");
}
+ if (!MetadataUtils.nameRegexPattern.matcher(database).matches()) {
+ return Message.error("'database' is invalid[数据库名错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(table).matches()) {
+ return Message.error("'table' is invalid[表名错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(dataSourceId).matches()) {
+ return Message.error("'dataSourceId' is invalid[数据源错误]");
+ }
List<MetaColumnInfo> columns =
metadataAppService.getColumnsByDsId(
dataSourceId,
diff --git a/linkis-public-enhancements/linkis-datasource/linkis-metadata-query/server/src/main/java/org/apache/linkis/metadata/query/server/restful/MetadataQueryRestful.java b/linkis-public-enhancements/linkis-datasource/linkis-metadata-query/server/src/main/java/org/apache/linkis/metadata/query/server/restful/MetadataQueryRestful.java
index fdf1d7c6a..fc653181e 100644
--- a/linkis-public-enhancements/linkis-datasource/linkis-metadata-query/server/src/main/java/org/apache/linkis/metadata/query/server/restful/MetadataQueryRestful.java
+++ b/linkis-public-enhancements/linkis-datasource/linkis-metadata-query/server/src/main/java/org/apache/linkis/metadata/query/server/restful/MetadataQueryRestful.java
@@ -23,6 +23,7 @@ import org.apache.linkis.metadata.query.common.domain.MetaColumnInfo;
import org.apache.linkis.metadata.query.common.domain.MetaPartitionInfo;
import org.apache.linkis.metadata.query.common.exception.MetaMethodInvokeException;
import org.apache.linkis.metadata.query.server.service.MetadataQueryService;
+import org.apache.linkis.metadata.query.server.utils.MetadataUtils;
import org.apache.linkis.server.Message;
import org.apache.linkis.server.security.SecurityFilter;
@@ -42,6 +43,7 @@ import org.slf4j.LoggerFactory;
import java.util.List;
import java.util.Map;
+import java.util.stream.Collectors;
@Api(tags = "metadata query")
@RestController
@@ -66,7 +68,9 @@ public class MetadataQueryRestful {
if (StringUtils.isBlank(system)) {
return Message.error("'system' is missing[缺少系统名]");
}
-
+ if (!MetadataUtils.nameRegexPattern.matcher(dataSourceName).matches()) {
+ return Message.error("'dataSourceId' is invalid[数据源错误]");
+ }
List<String> databases =
metadataQueryService.getDatabasesByDsName(
dataSourceName, system, SecurityFilter.getLoginUsername(request));
@@ -98,6 +102,12 @@ public class MetadataQueryRestful {
if (StringUtils.isBlank(system)) {
return Message.error("'system' is missing[缺少系统名]");
}
+ if (!MetadataUtils.nameRegexPattern.matcher(dataSourceName).matches()) {
+ return Message.error("'dataSourceId' is invalid[数据源错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(database).matches()) {
+ return Message.error("'database' is invalid[数据库名称错误]");
+ }
List<String> tables =
metadataQueryService.getTablesByDsName(
dataSourceName,
@@ -137,6 +147,15 @@ public class MetadataQueryRestful {
if (StringUtils.isBlank(system)) {
return Message.error("'system' is missing[缺少系统名]");
}
+ if (!MetadataUtils.nameRegexPattern.matcher(database).matches()) {
+ return Message.error("'database' is invalid[数据库名错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(table).matches()) {
+ return Message.error("'table' is invalid[表名错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(dataSourceName).matches()) {
+ return Message.error("'dataSourceId' is invalid[数据源错误]");
+ }
Map<String, String> tableProps =
metadataQueryService.getTablePropsByDsName(
dataSourceName,
@@ -181,6 +200,15 @@ public class MetadataQueryRestful {
if (StringUtils.isBlank(system)) {
return Message.error("'system' is missing[缺少系统名]");
}
+ if (!MetadataUtils.nameRegexPattern.matcher(database).matches()) {
+ return Message.error("'database' is invalid[数据库名错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(table).matches()) {
+ return Message.error("'table' is invalid[表名错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(dataSourceName).matches()) {
+ return Message.error("'dataSourceId' is invalid[数据源错误]");
+ }
MetaPartitionInfo partitionInfo =
metadataQueryService.getPartitionsByDsName(
dataSourceName,
@@ -226,6 +254,18 @@ public class MetadataQueryRestful {
if (StringUtils.isBlank(system)) {
return Message.error("'system' is missing[缺少系统名]");
}
+ if (!MetadataUtils.nameRegexPattern.matcher(database).matches()) {
+ return Message.error("'database' is invalid[数据库名错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(table).matches()) {
+ return Message.error("'table' is invalid[表名错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(dataSourceName).matches()) {
+ return Message.error("'dataSourceId' is invalid[数据源错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(partition).matches()) {
+ return Message.error("'partition' is invalid[partition错误]");
+ }
Map<String, String> partitionProps =
metadataQueryService.getPartitionPropsByDsName(
dataSourceName,
@@ -271,6 +311,15 @@ public class MetadataQueryRestful {
if (StringUtils.isBlank(system)) {
return Message.error("'system' is missing[缺少系统名]");
}
+ if (!MetadataUtils.nameRegexPattern.matcher(database).matches()) {
+ return Message.error("'database' is invalid[数据库名错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(table).matches()) {
+ return Message.error("'table' is invalid[表名错误]");
+ }
+ if (!MetadataUtils.nameRegexPattern.matcher(dataSourceName).matches()) {
+ return Message.error("'dataSourceId' is invalid[数据源错误]");
+ }
List<MetaColumnInfo> columns =
metadataQueryService.getColumnsByDsName(
dataSourceName,
diff --git a/linkis-public-enhancements/linkis-datasource/linkis-metadata-query/server/src/main/java/org/apache/linkis/metadata/query/server/utils/MetadataUtils.java b/linkis-public-enhancements/linkis-datasource/linkis-metadata-query/server/src/main/java/org/apache/linkis/metadata/query/server/utils/MetadataUtils.java
index fefd29236..0e3b69a8e 100644
--- a/linkis-public-enhancements/linkis-datasource/linkis-metadata-query/server/src/main/java/org/apache/linkis/metadata/query/server/utils/MetadataUtils.java
+++ b/linkis-public-enhancements/linkis-datasource/linkis-metadata-query/server/src/main/java/org/apache/linkis/metadata/query/server/utils/MetadataUtils.java
@@ -17,6 +17,7 @@
package org.apache.linkis.metadata.query.server.utils;
+import org.apache.linkis.common.conf.CommonVars;
import org.apache.linkis.metadata.query.common.exception.MetaRuntimeException;
import org.apache.linkis.metadata.query.common.service.MetadataService;
@@ -33,6 +34,7 @@ import java.util.*;
import java.util.function.Function;
import java.util.jar.JarEntry;
import java.util.jar.JarFile;
+import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.slf4j.Logger;
@@ -47,6 +49,11 @@ public class MetadataUtils {
private static final Logger LOG = LoggerFactory.getLogger(MetadataUtils.class);
+ public static final String NAME_REGEX =
+ CommonVars.apply("wds.linkis.metadata.query.regex", "^[a-zA-Z\\-\\d_\\.=/:]+$").getValue();
+
+ public static final Pattern nameRegexPattern = Pattern.compile(NAME_REGEX);
+
public static MetadataService loadMetaService(
Class<? extends MetadataService> metaServiceClass, ClassLoader metaServiceClassLoader) {
ClassLoader storeClassLoader = Thread.currentThread().getContextClassLoader();
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@linkis.apache.org
For additional commands, e-mail: commits-help@linkis.apache.org