Copilot commented on code in PR #16226:
URL: https://github.com/apache/iotdb/pull/16226#discussion_r2292504052
##########
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/schema/ExportSchemaTable.java:
##########
@@ -191,17 +191,10 @@ protected void exportSchemaToSqlFile() {
try (ITableSession session = sessionPool.getSession()) {
sessionDataSet =
session.executeQueryStatement(
- String.format(Constants.EXPORT_SCHEMA_COLUMNS_SELECT,
database, tableName));
- exportSchemaBySelect(sessionDataSet, fileName, tableName, comment);
+ String.format("SHOW CREATE TABLE %s.%s", database, tableName));
Review Comment:
The database and tableName variables are directly interpolated into the SQL
query without proper escaping or validation. This could lead to SQL injection
vulnerabilities if these values contain malicious content. Consider using
parameterized queries or properly escaping the identifiers.
```suggestion
String.format("SHOW CREATE TABLE %s.%s",
escapeSqlIdentifier(database), escapeSqlIdentifier(tableName)));
```
##########
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/schema/ExportSchemaTable.java:
##########
@@ -191,17 +191,10 @@ protected void exportSchemaToSqlFile() {
try (ITableSession session = sessionPool.getSession()) {
sessionDataSet =
session.executeQueryStatement(
- String.format(Constants.EXPORT_SCHEMA_COLUMNS_SELECT,
database, tableName));
- exportSchemaBySelect(sessionDataSet, fileName, tableName, comment);
+ String.format("SHOW CREATE TABLE %s.%s", database, tableName));
+ exportSchemaByShowCreate(sessionDataSet, fileName, tableName);
} catch (IoTDBConnectionException | StatementExecutionException |
IOException e) {
- try (ITableSession session = sessionPool.getSession()) {
- sessionDataSet =
- session.executeQueryStatement(
- String.format(Constants.EXPORT_SCHEMA_COLUMNS_DESC,
database, tableName));
- exportSchemaByDesc(sessionDataSet, fileName, tableName, comment);
- } catch (IoTDBConnectionException | StatementExecutionException |
IOException e1) {
- ioTPrinter.println(Constants.COLUMN_SQL_MEET_ERROR_MSG +
e.getMessage());
- }
+ ioTPrinter.println(Constants.COLUMN_SQL_MEET_ERROR_MSG +
e.getMessage());
Review Comment:
[nitpick] The removal of the fallback error handling mechanism means that if
the SHOW CREATE TABLE command fails, the operation will completely fail without
attempting alternative approaches. Consider whether this loss of resilience is
acceptable for your use case.
##########
iotdb-client/cli/src/main/java/org/apache/iotdb/tool/schema/ExportSchemaTable.java:
##########
@@ -214,6 +207,23 @@ protected void exportSchemaToSqlFile() {
}
}
+ private void exportSchemaByShowCreate(
+ SessionDataSet sessionDataSet, String fileName, String tableName)
+ throws IoTDBConnectionException, StatementExecutionException,
IOException {
+ String dropSql = "DROP TABLE IF EXISTS \"" + tableName + "\";\n";
Review Comment:
The tableName variable is directly concatenated into the DROP TABLE
statement without proper escaping or validation. This could lead to SQL
injection vulnerabilities. Consider using parameterized queries or properly
escaping the table name identifier.
```suggestion
String dropSql = "DROP TABLE IF EXISTS " +
escapeSqlIdentifier(tableName) + ";\n";
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
