This is an automated email from the ASF dual-hosted git repository.
cdmikechen pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/submarine.git
The following commit(s) were added to refs/heads/master by this push:
new 4cd2af10 SUBMARINE-1361. Fix Submarine SQL injection vulnerability
4cd2af10 is described below
commit 4cd2af10499ac6dc4f82bda179d9f414a522abef
Author: cdmikechen <[email protected]>
AuthorDate: Sat Jan 7 09:44:20 2023 +0800
SUBMARINE-1361. Fix Submarine SQL injection vulnerability
### What is this PR for?
Currently a SQL injection vulnerability has been checked in submarine and
the relevant part of the `like` statement in mybatis needs to be fixed.
### What type of PR is it?
Bug Fix
### Todos
* [x] - replace `like` statement to `concat('%', #{param}, '%')`
### What is the Jira issue?
https://issues.apache.org/jira/browse/SUBMARINE-1361
### How should this be tested?
Added a test case verification code in
`submarine-server/server-database/src/test/java/org/apache/submarine/server/database/workbench/database/service/SysUserServiceTest.java`
### Screenshots (if appropriate)
NA
### Questions:
* Do the license files need updating? No
* Are there breaking changes for older versions? No
* Does this need new documentation? No
Author: cdmikechen <[email protected]>
Signed-off-by: cdmikechen <[email protected]>
Closes #1037 from cdmikechen/SUBMARINE-1361 and squashes the following
commits:
34fb34b6 [cdmikechen] Avoid sql injection
---
.../org/apache/submarine/database/mappers/SysDeptMapper.xml | 4 ++--
.../apache/submarine/database/mappers/SysDictItemMapper.xml | 4 ++--
.../org/apache/submarine/database/mappers/SysDictMapper.xml | 4 ++--
.../org/apache/submarine/database/mappers/SysUserMapper.xml | 4 ++--
.../workbench/database/service/SysUserServiceTest.java | 13 +++++++++++++
5 files changed, 21 insertions(+), 8 deletions(-)
diff --git
a/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDeptMapper.xml
b/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDeptMapper.xml
index a11ee519..e98d503b 100644
---
a/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDeptMapper.xml
+++
b/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDeptMapper.xml
@@ -42,8 +42,8 @@
SELECT a.*, b.dept_name AS parent_name
FROM sys_department a LEFT JOIN sys_department b ON
a.parent_code=b.dept_code
WHERE 1=1
- <if test="deptCode!=null and deptCode!=''"> AND a.`dept_code` like
'%${deptCode}%' </if>
- <if test="deptName!=null and deptName!=''"> AND a.`dept_name` like
'%${deptName}%' </if>
+ <if test="deptCode!=null and deptCode!=''"> AND a.`dept_code` like
concat('%', #{deptCode}, '%')</if>
+ <if test="deptName!=null and deptName!=''"> AND a.`dept_name` like
concat('%', #{deptName}, '%')</if>
ORDER BY a.sort_order
</select>
diff --git
a/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictItemMapper.xml
b/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictItemMapper.xml
index 731bb700..55150e72 100644
---
a/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictItemMapper.xml
+++
b/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictItemMapper.xml
@@ -31,8 +31,8 @@
<select id="selectAll" resultMap="resultMap">
SELECT * FROM sys_dict_item WHERE 1 = 1
<if test="dictCode!=null and dictCode!=''"> AND `dict_code` =
#{dictCode}</if>
- <if test="itemCode!=null and itemCode!=''"> AND `item_code` like
'%${itemCode}%'</if>
- <if test="itemName!=null and itemName!=''"> AND `item_name` like
'%${itemName}%'</if>
+ <if test="itemCode!=null and itemCode!=''"> AND `item_code` like
concat('%', #{itemCode}, '%')</if>
+ <if test="itemName!=null and itemName!=''"> AND `item_name` like
concat('%', #{itemName}, '%')</if>
ORDER BY sort_order
</select>
<resultMap id="resultMap"
type="org.apache.submarine.server.database.workbench.entity.SysDictItemEntity"
extends="BaseEntityResultMap">
diff --git
a/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictMapper.xml
b/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictMapper.xml
index 55db3a9b..69e5de1b 100644
---
a/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictMapper.xml
+++
b/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictMapper.xml
@@ -31,8 +31,8 @@
<select id="selectAll" parameterType="java.util.Map" resultMap="resultMap">
SELECT * FROM sys_dict
WHERE 1=1
- <if test="dictCode!=null and dictCode!=''">AND `dict_code` like
'%${dictCode}%'</if>
- <if test="dictName!=null and dictName!=''">AND `dict_name` like
'%${dictName}%'</if>
+ <if test="dictCode!=null and dictCode!=''">AND `dict_code` like
concat('%', #{dictCode}, '%')</if>
+ <if test="dictName!=null and dictName!=''">AND `dict_name` like
concat('%', #{dictName}, '%')</if>
ORDER BY id
</select>
<resultMap id="resultMap"
type="org.apache.submarine.server.database.workbench.entity.SysDictEntity"
extends="BaseEntityResultMap">
diff --git
a/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysUserMapper.xml
b/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysUserMapper.xml
index 49c4e9ec..c24ad71e 100644
---
a/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysUserMapper.xml
+++
b/submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysUserMapper.xml
@@ -39,8 +39,8 @@
SELECT a.*, b.dept_name FROM sys_user a LEFT JOIN sys_department b ON
a.dept_code = b.dept_code
WHERE 1 = 1
<if test="deptCode!=null and deptCode!=''"> AND a.`dept_code` =
#{deptCode}</if>
- <if test="userName!=null and userName!=''"> AND a.`user_name` like
'%${userName}%'</if>
- <if test="email!=null and email!=''"> AND a.`email` like '%${email}%'</if>
+ <if test="userName!=null and userName!=''"> AND a.`user_name` like
concat('%', #{userName}, '%')</if>
+ <if test="email!=null and email!=''"> AND a.`email` like concat('%',
#{email}, '%')</if>
ORDER BY a.create_time
</select>
diff --git
a/submarine-server/server-database/src/test/java/org/apache/submarine/server/database/workbench/database/service/SysUserServiceTest.java
b/submarine-server/server-database/src/test/java/org/apache/submarine/server/database/workbench/database/service/SysUserServiceTest.java
index bbeb4ace..f3fbc129 100644
---
a/submarine-server/server-database/src/test/java/org/apache/submarine/server/database/workbench/database/service/SysUserServiceTest.java
+++
b/submarine-server/server-database/src/test/java/org/apache/submarine/server/database/workbench/database/service/SysUserServiceTest.java
@@ -78,6 +78,19 @@ public class SysUserServiceTest {
10);
LOG.debug("userList.size():{}", userList.size());
assertEquals(userList.size(), 1);
+
+ // Avoid sql injection.
+ // Issue: https://issues.apache.org/jira/browse/SUBMARINE-1361
+ List<SysUserEntity> sqlInjectTestList = userService.queryPageList(
+ String.format("%s' or 1=1 or 1='", sysUser.getUserName()),
+ null,
+ null,
+ null,
+ null,
+ 0,
+ 10);
+ assertEquals("SQL Injection Vulnerability Detected!",
sqlInjectTestList.size(), 0);
+
SysUserEntity user = userList.get(0);
assertEquals(sysUser.getEmail(), user.getEmail());
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
