This is an automated email from the ASF dual-hosted git repository. nic pushed a commit to branch 2.6.x in repository https://gitbox.apache.org/repos/asf/kylin.git
commit 5fbb6c9c3780d7384c8f1dc378b96bb9c43cfdbe Author: nichunen <[email protected]> AuthorDate: Thu Jan 23 11:23:10 2020 +0800 Validate uuid to prevent sql injection --- .../main/java/org/apache/kylin/rest/security/AclEntityFactory.java | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/server-base/src/main/java/org/apache/kylin/rest/security/AclEntityFactory.java b/server-base/src/main/java/org/apache/kylin/rest/security/AclEntityFactory.java index c799b0a..47f797b 100644 --- a/server-base/src/main/java/org/apache/kylin/rest/security/AclEntityFactory.java +++ b/server-base/src/main/java/org/apache/kylin/rest/security/AclEntityFactory.java @@ -18,6 +18,8 @@ package org.apache.kylin.rest.security; +import java.util.UUID; + import org.apache.kylin.common.persistence.RootPersistentEntity; import org.apache.kylin.cube.CubeInstance; import org.apache.kylin.job.JobInstance; @@ -30,6 +32,10 @@ import org.apache.kylin.metadata.project.ProjectInstance; public class AclEntityFactory implements AclEntityType { public static RootPersistentEntity createAclEntity(String entityType, String uuid) { + // Validate the uuid first, exception will be thrown if the uuid string is not a valid uuid + UUID uuidObj = UUID.fromString(uuid); + uuid = uuidObj.toString(); + if (CUBE_INSTANCE.equals(entityType)) { CubeInstance cubeInstance = new CubeInstance(); cubeInstance.setUuid(uuid);
