yujunjun/datahub
2
0
Fork 0
mirror of https://github.com/datahub-project/datahub.git synced 2025-08-20 23:28:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix SQL injection issues in some frontend java DAO classes (#298)

Browse Source
This commit is contained in:
Yi (Alan) Wang 2016-12-08 11:31:09 -08:00 committed by GitHub
parent 418fef6278
commit 6ffbc9d1ff
2 changed files with 26 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
web/app/dao/DatasetsDAO.java
View File

@ -230,7 +230,7 @@ public class DatasetsDAO extends AbstractMySQLOpenSourceDAO
"(text, user_id, dataset_id, created, modified, comment_type) VALUES(?, ?, ?, NOW(), NOW(), ?)"; "(text, user_id, dataset_id, created, modified, comment_type) VALUES(?, ?, ?, NOW(), NOW(), ?)";
private final static String GET_WATCHED_URN_ID = "SELECT id FROM watch " + private final static String GET_WATCHED_URN_ID = "SELECT id FROM watch " +
"WHERE user_id = ? and item_type = 'urn' and urn = '$URN'"; "WHERE user_id = ? and item_type = 'urn' and urn = ?";
private final static String GET_WATCHED_DATASET_ID = "SELECT id FROM watch " + private final static String GET_WATCHED_DATASET_ID = "SELECT id FROM watch " +
"WHERE user_id = ? and item_id = ? and item_type = 'dataset'"; "WHERE user_id = ? and item_id = ? and item_type = 'dataset'";
@ -1092,7 +1092,7 @@ public class DatasetsDAO extends AbstractMySQLOpenSourceDAO
if (userId != null && userId !=0) if (userId != null && userId !=0)
{ {
List<Map<String, Object>> rows = null; List<Map<String, Object>> rows = null;
rows = getJdbcTemplate().queryForList(GET_WATCHED_URN_ID.replace("$URN", urn), userId); rows = getJdbcTemplate().queryForList(GET_WATCHED_URN_ID, userId, urn);
if (rows != null) if (rows != null)
{ {
for (Map row : rows) { for (Map row : rows) {
@ -1151,7 +1151,7 @@ public class DatasetsDAO extends AbstractMySQLOpenSourceDAO
rows = getJdbcTemplate().queryForList(GET_WATCHED_DATASET_ID, userId, datasetId); rows = getJdbcTemplate().queryForList(GET_WATCHED_DATASET_ID, userId, datasetId);
if (rows != null && rows.size() > 0) if (rows != null && rows.size() > 0)
{ {
message = "watch item is already exist"; message = "watch item already exist";
} }
else else
{ {
@ -1245,7 +1245,7 @@ public class DatasetsDAO extends AbstractMySQLOpenSourceDAO
if (userId != null && userId !=0) if (userId != null && userId !=0)
{ {
List<Map<String, Object>> rows = null; List<Map<String, Object>> rows = null;
rows = getJdbcTemplate().queryForList(GET_WATCHED_URN_ID.replace("$URN", urn), userId); rows = getJdbcTemplate().queryForList(GET_WATCHED_URN_ID, userId, urn);
if (rows != null && rows.size() > 0) if (rows != null && rows.size() > 0)
{ {
message = "watch item is already exist"; message = "watch item is already exist";

38
web/app/dao/MetricsDAO.java
View File

@ -45,14 +45,15 @@ public class MetricsDAO extends AbstractMySQLOpenSourceDAO
"m.metric_ref_id, m.dashboard_name, m.metric_category, m.metric_group, IFNULL(w.id,0) as watch_id " + "m.metric_ref_id, m.dashboard_name, m.metric_category, m.metric_group, IFNULL(w.id,0) as watch_id " +
"FROM dict_business_metric m " + "FROM dict_business_metric m " +
"LEFT JOIN watch w ON (m.metric_id = w.item_id AND w.item_type = 'metric' AND w.user_id = ?) " + "LEFT JOIN watch w ON (m.metric_id = w.item_id AND w.item_type = 'metric' AND w.user_id = ?) " +
"WHERE dashboard_name $value ORDER BY m.metric_name limit ?, ?"; "WHERE (dashboard_name = ? OR (dashboard_name IS NULL AND ? IS NULL)) ORDER BY m.metric_name limit ?, ?";
private final static String SELECT_PAGED_METRICS_BY_DASHBOARD_AND_GROUP = "SELECT SQL_CALC_FOUND_ROWS " + private final static String SELECT_PAGED_METRICS_BY_DASHBOARD_AND_GROUP = "SELECT SQL_CALC_FOUND_ROWS " +
"m.metric_id, m.metric_name, m.metric_description, m.metric_ref_id_type, m.metric_ref_id, " + "m.metric_id, m.metric_name, m.metric_description, m.metric_ref_id_type, m.metric_ref_id, " +
"m.dashboard_name, m.metric_category, m.metric_group, IFNULL(w.id,0) as watch_id " + "m.dashboard_name, m.metric_category, m.metric_group, IFNULL(w.id,0) as watch_id " +
"FROM dict_busines_metric m " + "FROM dict_busines_metric m " +
"LEFT JOIN watch w ON (m.metric_id = w.item_id AND w.item_type = 'metric' AND w.user_id = ?) " + "LEFT JOIN watch w ON (m.metric_id = w.item_id AND w.item_type = 'metric' AND w.user_id = ?) " +
"WHERE m.dashboard_name $dashboard and m.metric_group $group " + "WHERE (m.dashboard_name = ? OR (m.dashboard_name IS NULL AND ? IS NULL)) " +
"and (m.metric_group = ? OR (m.metric_group IS NULL AND ? IS NULL)) " +
"ORDER BY metric_name limit ?, ?"; "ORDER BY metric_name limit ?, ?";
private final static String GET_METRIC_BY_ID = "SELECT m.metric_id, m.metric_name, " + private final static String GET_METRIC_BY_ID = "SELECT m.metric_id, m.metric_name, " +
@ -74,7 +75,7 @@ public class MetricsDAO extends AbstractMySQLOpenSourceDAO
private final static String GET_USER_ID = "SELECT id FROM users WHERE username = ?"; private final static String GET_USER_ID = "SELECT id FROM users WHERE username = ?";
private final static String UPDATE_METRIC = "UPDATE dict_busines_metric SET $SET_CLAUSE WHERE metric_id = ?"; private final static String UPDATE_METRIC = "UPDATE dict_business_metric SET $SET_CLAUSE WHERE metric_id = ?";
public static ObjectNode getPagedMetrics( public static ObjectNode getPagedMetrics(
String dashboardName, String dashboardName,
@ -97,48 +98,51 @@ public class MetricsDAO extends AbstractMySQLOpenSourceDAO
{ {
public ObjectNode doInTransaction(TransactionStatus status) public ObjectNode doInTransaction(TransactionStatus status)
{ {
String query = null; List<Map<String, Object>> rows;
if (StringUtils.isBlank(dashboardName)) if (StringUtils.isBlank(dashboardName))
{ {
query = SELECT_PAGED_METRICS; rows = jdbcTemplate.queryForList(SELECT_PAGED_METRICS, id, (page-1)*size, size);
} }
else if (StringUtils.isBlank(group)) else if (StringUtils.isBlank(group))
{ {
query = SELECT_PAGED_METRICS_BY_DASHBOARD_NAME; String dbName;
if (dashboardName.equals("[Other]")) if (dashboardName.equals("[Other]"))
{ {
query = query.replace("$value", "is null"); dbName = null;
} }
else else
{ {
query = query.replace("$value", "= '" + dashboardName + "'"); dbName = dashboardName;
} }
rows = jdbcTemplate.queryForList(SELECT_PAGED_METRICS_BY_DASHBOARD_NAME, id, dbName, dbName,
(page-1)*size, size);
} }
else else
{ {
query = SELECT_PAGED_METRICS_BY_DASHBOARD_AND_GROUP; String dbName;
if (dashboardName.equals("[Other]")) if (dashboardName.equals("[Other]"))
{ {
query = query.replace("$dashboard", "is null"); dbName = null;
} }
else else
{ {
query = query.replace("$dashboard", "= '" + dashboardName + "'"); dbName = dashboardName;
} }
String grp;
if (group.equals("[Other]")) if (group.equals("[Other]"))
{ {
query = query.replace("$group", "is null"); grp = null;
} }
else else
{ {
query = query.replace("$group", "= '" + group + "'"); grp = group;
} }
rows = jdbcTemplate.queryForList(SELECT_PAGED_METRICS_BY_DASHBOARD_AND_GROUP, id, dbName, dbName, grp, grp,
(page-1)*size, size);
} }
List<Map<String, Object>> rows = null;
List<Metric> pagedMetrics = new ArrayList<Metric>();
rows = jdbcTemplate.queryForList(query, id, (page-1)*size, size);
for (Map row : rows) {
List<Metric> pagedMetrics = new ArrayList<>();
for (Map row : rows) {
Metric metric = new Metric(); Metric metric = new Metric();
metric.id = (int)row.get("metric_id"); metric.id = (int)row.get("metric_id");
metric.name = (String)row.get("metric_name"); metric.name = (String)row.get("metric_name");