This is an automated email from the ASF dual-hosted git repository. nic pushed a commit to branch 2.6.x in repository https://gitbox.apache.org/repos/asf/kylin.git
commit 1f9f44ceb818b46518176e81c6dea5a0d12750cf Author: nichunen <[email protected]> AuthorDate: Fri Jan 10 21:03:31 2020 +0800 Fix sql injection issue --- .../org/apache/kylin/rest/service/CubeService.java | 36 ++++++++++++++++------ 1 file changed, 27 insertions(+), 9 deletions(-) diff --git a/server-base/src/main/java/org/apache/kylin/rest/service/CubeService.java b/server-base/src/main/java/org/apache/kylin/rest/service/CubeService.java index b975cdc..c9f6fb9 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/service/CubeService.java +++ b/server-base/src/main/java/org/apache/kylin/rest/service/CubeService.java @@ -69,6 +69,7 @@ import org.apache.kylin.metadata.project.ProjectManager; import org.apache.kylin.metadata.project.RealizationEntry; import org.apache.kylin.metadata.realization.RealizationStatusEnum; import org.apache.kylin.metadata.realization.RealizationType; +import org.apache.kylin.metrics.MetricsManager; import org.apache.kylin.metrics.property.QueryCubePropertyEnum; import org.apache.kylin.rest.constant.Constant; import org.apache.kylin.rest.exception.BadRequestException; @@ -77,6 +78,7 @@ import org.apache.kylin.rest.exception.InternalErrorException; import org.apache.kylin.rest.msg.Message; import org.apache.kylin.rest.msg.MsgPicker; import org.apache.kylin.rest.request.MetricsRequest; +import org.apache.kylin.rest.request.PrepareSqlRequest; import org.apache.kylin.rest.response.CubeInstanceResponse; import org.apache.kylin.rest.response.CuboidTreeResponse; import org.apache.kylin.rest.response.CuboidTreeResponse.NodeInfo; @@ -576,7 +578,8 @@ public class CubeService extends BasicService implements InitializingBean { List<String> toDelHDFSPaths = Lists.newArrayListWithCapacity(toRemoveSegs.size()); for (CubeSegment seg : toRemoveSegs) { toDropHTables.add(seg.getStorageLocationIdentifier()); - toDelHDFSPaths.add(JobBuilderSupport.getJobWorkingDir(seg.getConfig().getHdfsWorkingDirectory(), seg.getLastBuildJobID())); + toDelHDFSPaths.add(JobBuilderSupport.getJobWorkingDir(seg.getConfig().getHdfsWorkingDirectory(), + seg.getLastBuildJobID())); } StorageCleanUtil.dropHTables(new HBaseAdmin(HBaseConnection.getCurrentHBaseConfiguration()), toDropHTables); @@ -713,7 +716,6 @@ public class CubeService extends BasicService implements InitializingBean { return false; } - public void validateCubeDesc(CubeDesc desc, boolean isDraft) { Message msg = MsgPicker.getMsg(); @@ -931,7 +933,7 @@ public class CubeService extends BasicService implements InitializingBean { long queryExactlyMatchCount = queryMatchMap == null || queryMatchMap.get(cuboidId) == null ? 0L : queryMatchMap.get(cuboidId); boolean ifExist = currentCuboidSet.contains(cuboidId); - long rowCount = rowCountMap == null ? 0L : rowCountMap.get(cuboidId); + long rowCount = (rowCountMap == null || rowCountMap.size() == 0) ? 0L : rowCountMap.get(cuboidId); NodeInfo node = new NodeInfo(); node.setId(cuboidId); @@ -980,9 +982,10 @@ public class CubeService extends BasicService implements InitializingBean { String table = getMetricsManager().getSystemTableFromSubject(getConfig().getKylinMetricsSubjectQueryCube()); String sql = "select " + cuboidColumn + ", sum(" + hitMeasure + ")" // + " from " + table// - + " where " + QueryCubePropertyEnum.CUBE.toString() + " = '" + cubeName + "'" // + + " where " + QueryCubePropertyEnum.CUBE.toString() + " = ?" // + " group by " + cuboidColumn; - List<List<String>> orgHitFrequency = queryService.querySystemCube(sql).getResults(); + + List<List<String>> orgHitFrequency = getPrepareQueryResult(cubeName, sql); return formatQueryCount(orgHitFrequency); } @@ -994,9 +997,10 @@ public class CubeService extends BasicService implements InitializingBean { String table = getMetricsManager().getSystemTableFromSubject(getConfig().getKylinMetricsSubjectQueryCube()); String sql = "select " + cuboidSource + ", " + cuboidTgt + ", avg(" + aggCount + "), avg(" + returnCount + ")"// + " from " + table // - + " where " + QueryCubePropertyEnum.CUBE.toString() + " = '" + cubeName + "' " // + + " where " + QueryCubePropertyEnum.CUBE.toString() + " = ?" // + " group by " + cuboidSource + ", " + cuboidTgt; - List<List<String>> orgRollingUpCount = queryService.querySystemCube(sql).getResults(); + + List<List<String>> orgRollingUpCount = getPrepareQueryResult(cubeName, sql); return formatRollingUpStats(orgRollingUpCount); } @@ -1006,13 +1010,27 @@ public class CubeService extends BasicService implements InitializingBean { String table = getMetricsManager().getSystemTableFromSubject(getConfig().getKylinMetricsSubjectQueryCube()); String sql = "select " + cuboidSource + ", sum(" + hitMeasure + ")" // + " from " + table // - + " where " + QueryCubePropertyEnum.CUBE.toString() + " = '" + cubeName + "'" // + + " where " + QueryCubePropertyEnum.CUBE.toString() + " = ?" // + " and " + QueryCubePropertyEnum.IF_MATCH.toString() + " = true" // + " group by " + cuboidSource; - List<List<String>> orgMatchHitFrequency = queryService.querySystemCube(sql).getResults(); + + List<List<String>> orgMatchHitFrequency = getPrepareQueryResult(cubeName, sql); return formatQueryCount(orgMatchHitFrequency); } + private List<List<String>> getPrepareQueryResult(String cubeName, String sql) { + PrepareSqlRequest sqlRequest = new PrepareSqlRequest(); + sqlRequest.setProject(MetricsManager.SYSTEM_PROJECT); + PrepareSqlRequest.StateParam[] params = new PrepareSqlRequest.StateParam[1]; + params[0] = new PrepareSqlRequest.StateParam(); + params[0].setClassName("java.lang.String"); + params[0].setValue(cubeName); + sqlRequest.setParams(params); + sqlRequest.setSql(sql); + + return queryService.doQueryWithCache(sqlRequest, false).getResults(); + } + @PreAuthorize(Constant.ACCESS_HAS_ROLE_ADMIN + " or hasPermission(#cube, 'ADMINISTRATION') or hasPermission(#cube, 'MANAGEMENT')") public void migrateCube(CubeInstance cube, String projectName) {
