This is an automated email from the ASF dual-hosted git repository.
jmclean pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/main by this push:
new 1081764626 [#7585] feat: add DB name validation to secure DB creation
(#7654)
1081764626 is described below
commit 1081764626379de5d5614c7f311789dfa8c3091b
Author: Reuben George <[email protected]>
AuthorDate: Fri Jul 11 07:18:46 2025 +0530
[#7585] feat: add DB name validation to secure DB creation (#7654)
### What changes were proposed in this pull request?
Added DB name validation to the createDatabase method to secure DB
creation.
Fix: #7585
### Does this PR introduce _any_ user-facing change?
No
### How was this patch tested?
Tested with unit tests to validate if invalid names are rejected and the
names in the TestDatabaseName enum are accepted
---
.../integration/test/container/MySQLContainer.java | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git
a/integration-test-common/src/test/java/org/apache/gravitino/integration/test/container/MySQLContainer.java
b/integration-test-common/src/test/java/org/apache/gravitino/integration/test/container/MySQLContainer.java
index 55f4549434..3cfb6ecc56 100644
---
a/integration-test-common/src/test/java/org/apache/gravitino/integration/test/container/MySQLContainer.java
+++
b/integration-test-common/src/test/java/org/apache/gravitino/integration/test/container/MySQLContainer.java
@@ -132,7 +132,13 @@ public class MySQLContainer extends BaseContainer {
DriverManager.getConnection(mySQLJdbcUrl, USER_NAME,
getPassword());
Statement statement = connection.createStatement()) {
- String query = String.format("CREATE DATABASE IF NOT EXISTS %s;",
testDatabaseName);
+ // validate database name to ensure it only contains safe characters
+ String databaseName = testDatabaseName.toString();
+ if (!isValidDatabaseName(databaseName)) {
+ throw new IllegalArgumentException("Invalid database name: " +
databaseName);
+ }
+
+ String query = String.format("CREATE DATABASE IF NOT EXISTS `%s`;",
databaseName);
// FIXME: String, which is used in SQL, can be unsafe
statement.execute(query);
LOG.info(String.format("MySQL container database %s has been created",
testDatabaseName));
@@ -141,6 +147,18 @@ public class MySQLContainer extends BaseContainer {
}
}
+ private boolean isValidDatabaseName(String databaseName) {
+ if (databaseName == null || databaseName.isEmpty()) {
+ return false;
+ }
+
+ if (databaseName.length() > 64) {
+ return false;
+ }
+
+ return databaseName.matches("^[a-zA-Z0-9_$]+$");
+ }
+
public String getUsername() {
return USER_NAME;
}
