vanilla111 opened a new issue #3573:
URL: https://github.com/apache/incubator-dolphinscheduler/issues/3573
## Description
In the file
`dolphinscheduler-dao/src/main/resources/org/apache/dolphinscheduler/dao/mapper/ProcessInstanceMapper.xml`,
there is a method called `queryLastRunningProcess`, the SQL statement in it on
line 12 may cause horizontal unauthorized access.
If the caller does not notice this problem, and it provides a `startTime` or
`endTime` which is `null`, then it is possible for him to query other user
process instances.
```
1. <select id="queryLastRunningProcess"
resultType="org.apache.dolphinscheduler.dao.entity.ProcessInstance">
2. select *
3. from t_ds_process_instance
4. where 1=1
5. <if test="states !=null and states.length != 0">
6. and state in
7. <foreach collection="states" item="i" index="index" open="("
separator="," close=")">
8. #{i}
9. </foreach>
10. </if>
11. <if test="startTime!=null and endTime != null ">
12. and process_definition_id=#{processDefinitionId}
13. and (schedule_time <![CDATA[ >= ]]> #{startTime} and
schedule_time <![CDATA[ <= ]]> #{endTime}
14. or start_time <![CDATA[ >= ]]> #{startTime} and start_time
<![CDATA[ <= ]]> #{endTime})
15. </if>
16. order by start_time desc limit 1
17.</select>
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
