This is an automated email from the ASF dual-hosted git repository.
tanjian pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/skywalking.git
The following commit(s) were added to refs/heads/master by this push:
new fb7912c fix fuzzy query sql injection (#4970)
fb7912c is described below
commit fb7912c6bdda06a233f4b3e18e71a87d3e4a8951
Author: yangy <[email protected]>
AuthorDate: Fri Jun 26 10:08:10 2020 +0800
fix fuzzy query sql injection (#4970)
---
.../oap/server/storage/plugin/jdbc/h2/dao/H2AlarmQueryDAO.java | 3 ++-
.../oap/server/storage/plugin/jdbc/h2/dao/H2MetadataQueryDAO.java | 6 ++++--
.../oap/server/storage/plugin/jdbc/h2/dao/H2TraceQueryDAO.java | 3 ++-
.../oap/server/storage/plugin/jdbc/mysql/MySQLAlarmQueryDAO.java | 3 ++-
4 files changed, 10 insertions(+), 5 deletions(-)
diff --git
a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2AlarmQueryDAO.java
b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2AlarmQueryDAO.java
index 0f4ff85..ddba6f7 100644
---
a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2AlarmQueryDAO.java
+++
b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2AlarmQueryDAO.java
@@ -61,7 +61,8 @@ public class H2AlarmQueryDAO implements IAlarmQueryDAO {
}
if (!Strings.isNullOrEmpty(keyword)) {
- sql.append(" and ").append(AlarmRecord.ALARM_MESSAGE).append("
like '%").append(keyword).append("%' ");
+ sql.append(" and ").append(AlarmRecord.ALARM_MESSAGE).append("
like concat('%',?,'%') ");
+ parameters.add(keyword);
}
sql.append(" order by ").append(AlarmRecord.START_TIME).append(" desc
");
diff --git
a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetadataQueryDAO.java
b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetadataQueryDAO.java
index 2566ab2..a22b14c 100644
---
a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetadataQueryDAO.java
+++
b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetadataQueryDAO.java
@@ -125,7 +125,8 @@ public class H2MetadataQueryDAO implements
IMetadataQueryDAO {
sql.append(ServiceTraffic.NODE_TYPE).append("=?");
condition.add(NodeType.Normal.value());
if (!Strings.isNullOrEmpty(keyword)) {
- sql.append(" and ").append(ServiceTraffic.NAME).append(" like
\"%").append(keyword).append("%\"");
+ sql.append(" and ").append(ServiceTraffic.NAME).append(" like
concat('%',?,'%')");
+ condition.add(keyword);
}
sql.append(" limit ").append(metadataQueryMaxSize);
@@ -175,7 +176,8 @@ public class H2MetadataQueryDAO implements
IMetadataQueryDAO {
sql.append(EndpointTraffic.SERVICE_ID).append("=?");
condition.add(serviceId);
if (!Strings.isNullOrEmpty(keyword)) {
- sql.append(" and ").append(EndpointTraffic.NAME).append(" like
'%").append(keyword).append("%' ");
+ sql.append(" and ").append(EndpointTraffic.NAME).append(" like
concat('%',?,'%') ");
+ condition.add(keyword);
}
sql.append(" limit ").append(limit);
diff --git
a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2TraceQueryDAO.java
b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2TraceQueryDAO.java
index 1928ef3..d3ee419 100644
---
a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2TraceQueryDAO.java
+++
b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2TraceQueryDAO.java
@@ -82,7 +82,8 @@ public class H2TraceQueryDAO implements ITraceQueryDAO {
}
}
if (!Strings.isNullOrEmpty(endpointName)) {
- sql.append(" and ").append(SegmentRecord.ENDPOINT_NAME).append("
like '%" + endpointName + "%'");
+ sql.append(" and ").append(SegmentRecord.ENDPOINT_NAME).append("
like concat('%',?,'%')");
+ parameters.add(endpointName);
}
if (StringUtil.isNotEmpty(serviceId)) {
sql.append(" and ").append(SegmentRecord.SERVICE_ID).append(" =
?");
diff --git
a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/mysql/MySQLAlarmQueryDAO.java
b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/mysql/MySQLAlarmQueryDAO.java
index aea77c8..6de9425 100644
---
a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/mysql/MySQLAlarmQueryDAO.java
+++
b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/mysql/MySQLAlarmQueryDAO.java
@@ -61,7 +61,8 @@ public class MySQLAlarmQueryDAO implements IAlarmQueryDAO {
}
if (!Strings.isNullOrEmpty(keyword)) {
- sql.append(" and ").append(AlarmRecord.ALARM_MESSAGE).append("
like '%").append(keyword).append("%' ");
+ sql.append(" and ").append(AlarmRecord.ALARM_MESSAGE).append("
like concat('%',?,'%') ");
+ parameters.add(keyword);
}
sql.append(" order by ").append(AlarmRecord.START_TIME).append(" desc
");
