Skip to content
This repository has been archived by the owner on Jul 10, 2024. It is now read-only.

Commit

Permalink
SUBMARINE-1361. Fix Submarine SQL injection vulnerability
Browse files Browse the repository at this point in the history
### What is this PR for?
Currently a SQL injection vulnerability has been checked in submarine and the relevant part of the `like` statement in mybatis needs to be fixed.

### What type of PR is it?
Bug Fix

### Todos
* [x] - replace `like` statement to `concat('%', #{param}, '%')`

### What is the Jira issue?
https://issues.apache.org/jira/browse/SUBMARINE-1361

### How should this be tested?
Added a test case verification code in `submarine-server/server-database/src/test/java/org/apache/submarine/server/database/workbench/database/service/SysUserServiceTest.java`

### Screenshots (if appropriate)
NA

### Questions:
* Do the license files need updating? No
* Are there breaking changes for older versions? No
* Does this need new documentation? No

Author: cdmikechen <[email protected]>

Signed-off-by: cdmikechen <[email protected]>

Closes #1037 from cdmikechen/SUBMARINE-1361 and squashes the following commits:

34fb34b [cdmikechen] Avoid sql injection
  • Loading branch information
cdmikechen committed Jan 16, 2023
1 parent 58cf1d5 commit 4cd2af1
Show file tree
Hide file tree
Showing 5 changed files with 21 additions and 8 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -42,8 +42,8 @@
SELECT a.*, b.dept_name AS parent_name
FROM sys_department a LEFT JOIN sys_department b ON a.parent_code=b.dept_code
WHERE 1=1
<if test="deptCode!=null and deptCode!=''"> AND a.`dept_code` like '%${deptCode}%' </if>
<if test="deptName!=null and deptName!=''"> AND a.`dept_name` like '%${deptName}%' </if>
<if test="deptCode!=null and deptCode!=''"> AND a.`dept_code` like concat('%', #{deptCode}, '%')</if>
<if test="deptName!=null and deptName!=''"> AND a.`dept_name` like concat('%', #{deptName}, '%')</if>
ORDER BY a.sort_order
</select>

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,8 @@
<select id="selectAll" resultMap="resultMap">
SELECT * FROM sys_dict_item WHERE 1 = 1
<if test="dictCode!=null and dictCode!=''"> AND `dict_code` = #{dictCode}</if>
<if test="itemCode!=null and itemCode!=''"> AND `item_code` like '%${itemCode}%'</if>
<if test="itemName!=null and itemName!=''"> AND `item_name` like '%${itemName}%'</if>
<if test="itemCode!=null and itemCode!=''"> AND `item_code` like concat('%', #{itemCode}, '%')</if>
<if test="itemName!=null and itemName!=''"> AND `item_name` like concat('%', #{itemName}, '%')</if>
ORDER BY sort_order
</select>
<resultMap id="resultMap" type="org.apache.submarine.server.database.workbench.entity.SysDictItemEntity" extends="BaseEntityResultMap">
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,8 @@
<select id="selectAll" parameterType="java.util.Map" resultMap="resultMap">
SELECT * FROM sys_dict
WHERE 1=1
<if test="dictCode!=null and dictCode!=''">AND `dict_code` like '%${dictCode}%'</if>
<if test="dictName!=null and dictName!=''">AND `dict_name` like '%${dictName}%'</if>
<if test="dictCode!=null and dictCode!=''">AND `dict_code` like concat('%', #{dictCode}, '%')</if>
<if test="dictName!=null and dictName!=''">AND `dict_name` like concat('%', #{dictName}, '%')</if>
ORDER BY id
</select>
<resultMap id="resultMap" type="org.apache.submarine.server.database.workbench.entity.SysDictEntity" extends="BaseEntityResultMap">
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,8 +39,8 @@
SELECT a.*, b.dept_name FROM sys_user a LEFT JOIN sys_department b ON a.dept_code = b.dept_code
WHERE 1 = 1
<if test="deptCode!=null and deptCode!=''"> AND a.`dept_code` = #{deptCode}</if>
<if test="userName!=null and userName!=''"> AND a.`user_name` like '%${userName}%'</if>
<if test="email!=null and email!=''"> AND a.`email` like '%${email}%'</if>
<if test="userName!=null and userName!=''"> AND a.`user_name` like concat('%', #{userName}, '%')</if>
<if test="email!=null and email!=''"> AND a.`email` like concat('%', #{email}, '%')</if>
ORDER BY a.create_time
</select>

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,19 @@ public void addUserTest() throws Exception {
10);
LOG.debug("userList.size():{}", userList.size());
assertEquals(userList.size(), 1);

// Avoid sql injection.
// Issue: https://issues.apache.org/jira/browse/SUBMARINE-1361
List<SysUserEntity> sqlInjectTestList = userService.queryPageList(
String.format("%s' or 1=1 or 1='", sysUser.getUserName()),
null,
null,
null,
null,
0,
10);
assertEquals("SQL Injection Vulnerability Detected!", sqlInjectTestList.size(), 0);

SysUserEntity user = userList.get(0);

assertEquals(sysUser.getEmail(), user.getEmail());
Expand Down

0 comments on commit 4cd2af1

Please sign in to comment.