jongyoul commented on code in PR #4926:
URL: https://github.com/apache/zeppelin/pull/4926#discussion_r2067740194
##########
zeppelin-server/src/main/java/org/apache/zeppelin/service/ShiroAuthenticationService.java:
##########
@@ -415,26 +424,39 @@ private List<String> getUserList(JdbcRealm obj) {
try {
dataSource = (DataSource) FieldUtils.readField(obj, "dataSource", true);
authQuery = (String) FieldUtils.readField(obj, "authenticationQuery",
true);
- LOGGER.info(authQuery);
+ LOGGER.debug("authenticationQuery={}", authQuery);
String authQueryLowerCase = authQuery.toLowerCase();
retval = authQueryLowerCase.split("from", 2);
if (retval.length >= 2) {
retval = retval[1].split("with|where", 2);
- tablename = retval[0];
+ tablename = retval[0].trim();
retval = retval[1].split("where", 2);
if (retval.length >= 2) {
retval = retval[1].split("=", 2);
} else {
retval = retval[0].split("=", 2);
}
- username = retval[0];
+ username = retval[0].trim();
}
if (StringUtils.isBlank(username) || StringUtils.isBlank(tablename)) {
return userlist;
}
+ if (!isValidSqlIdentifier(username)) {
+ throw new IllegalArgumentException(
+ "Invalid column name in authenticationQuery to build userlist
query: "
+ + authQuery + ", allowed pattern: " +
VALID_SQL_NAME_IDENTIFIER_PATTERN
+ + ", name identifier: [" + username + "]");
+ }
+ if (!isValidSqlIdentifier(tablename)) {
+ throw new IllegalArgumentException(
+ "Invalid table name in authenticationQuery to build userlist
query: "
+ + authQuery + ", allowed pattern: " +
VALID_SQL_NAME_IDENTIFIER_PATTERN
+ + ", name identifier: [" + tablename + "]");
+ }
- userquery = "SELECT ? FROM ?";
+ userquery = String.format("SELECT %s FROM %s WHERE %s LIKE ?",
username, tablename, username);
Review Comment:
I'm not 100% sure but it could be `SELECT ? FROM ? WHERE ? LIKE ?` and we
can pass it as `ps.setString(1, "%" + username + "%")`?
##########
zeppelin-server/src/main/java/org/apache/zeppelin/service/ShiroAuthenticationService.java:
##########
@@ -415,26 +424,39 @@ private List<String> getUserList(JdbcRealm obj) {
try {
dataSource = (DataSource) FieldUtils.readField(obj, "dataSource", true);
authQuery = (String) FieldUtils.readField(obj, "authenticationQuery",
true);
- LOGGER.info(authQuery);
+ LOGGER.debug("authenticationQuery={}", authQuery);
String authQueryLowerCase = authQuery.toLowerCase();
retval = authQueryLowerCase.split("from", 2);
if (retval.length >= 2) {
retval = retval[1].split("with|where", 2);
- tablename = retval[0];
+ tablename = retval[0].trim();
retval = retval[1].split("where", 2);
if (retval.length >= 2) {
retval = retval[1].split("=", 2);
} else {
retval = retval[0].split("=", 2);
}
- username = retval[0];
+ username = retval[0].trim();
}
if (StringUtils.isBlank(username) || StringUtils.isBlank(tablename)) {
return userlist;
}
+ if (!isValidSqlIdentifier(username)) {
+ throw new IllegalArgumentException(
+ "Invalid column name in authenticationQuery to build userlist
query: "
+ + authQuery + ", allowed pattern: " +
VALID_SQL_NAME_IDENTIFIER_PATTERN
+ + ", name identifier: [" + username + "]");
+ }
+ if (!isValidSqlIdentifier(tablename)) {
+ throw new IllegalArgumentException(
+ "Invalid table name in authenticationQuery to build userlist
query: "
+ + authQuery + ", allowed pattern: " +
VALID_SQL_NAME_IDENTIFIER_PATTERN
+ + ", name identifier: [" + tablename + "]");
+ }
- userquery = "SELECT ? FROM ?";
+ userquery = String.format("SELECT %s FROM %s WHERE %s LIKE ?",
username, tablename, username);
Review Comment:
I'm not 100% sure but it could be `SELECT ? FROM ? WHERE ? LIKE ?` and we
could pass it as `ps.setString(1, "%" + username + "%")`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscr...@zeppelin.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
