Github user 1ambda commented on the issue:
https://github.com/apache/zeppelin/pull/2559
Read the description and LGTM.
> ZEPPELIN-2769 introduced a mechanism to prevent SQL injection, but
unfortunately table names can not be parameterised in PreparedStatements. Also
the column variable "username" might be interpreted as a quoted string and the
final list would contain x times "username" instead of the real names (see
Figure).
> Other solutions preventing SQL injections mostly rely on other libraries
(e.g. escaping) or assumptions (e.g. widely database access).
I would consider to revert the changes. The SQL statement for getting the
user list should not be a security threat as the query parameters will be
parsed server-sided from the authenticationQuery, no user input will be
provided at all.
---
