zhangshenghang commented on PR #10327:
URL: https://github.com/apache/seatunnel/pull/10327#issuecomment-3753933452
<!-- code-pr-reviewer -->
This PR attempts to add bracket quoting for special characters, but
**multiple SQL injection vulnerabilities and functional defects remain**. The
following BLOCKER issues must be fixed before merging:
## SQL Injection (Must Fix)
### `getDatabaseWithConditionSql()` - SQL Injection
**Location:** `SqlServerCatalog.java:73-75`
Directly interpolates `databaseName` into SQL WHERE clause using single
quotes:
```java
String.format(getListDatabaseSql() + " where name = '%s'", databaseName)
```
**Fix:** Use square brackets:
```java
String.format(getListDatabaseSql() + " where name = [%s]", databaseName)
```
---
### `getTableWithConditionSql()` - SQL Injection
**Location:** `SqlServerCatalog.java:78-84`
Interpolates schema and table names without escaping:
```java
"TABLE_SCHEMA = '%s' and TABLE_NAME = '%s'"
```
**Fix:** Escape single quotes or use square brackets for identifier quoting.
---
### `getSelectColumnsSql()` - SQL Injection
**Location:** `SqlServerCatalog.java:99-106`
Concatenates table name with single quotes:
```java
"AND tbl.name = '" + tablePath.getTableName() + "'"
```
**Fix:** Use square brackets:
```java
"AND tbl.name = [" + tablePath.getTableName() + "]"
```
---
## Functional Defect (Must Fix)
### `getDropTableSql()` - Inconsistent Identifier Quoting
**Location:** `SqlServerCatalog.java:141-143`
Uses `tablePath.getFullName()` without quoting, while `getExistDataSql()`
and `getTruncateTableSql()` correctly use `getFullNameWithQuoted("[", "]")` in
the same file.
**Fix:** Change to:
```java
return String.format("DROP TABLE %s", tablePath.getFullNameWithQuoted("[",
"]"));
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
