From fb7912c6bdda06a233f4b3e18e71a87d3e4a8951 Mon Sep 17 00:00:00 2001 From: yangy Date: Fri, 26 Jun 2020 10:08:10 +0800 Subject: [PATCH] fix fuzzy query sql injection (#4970) --- .../server/storage/plugin/jdbc/h2/dao/H2AlarmQueryDAO.java | 3 ++- .../storage/plugin/jdbc/h2/dao/H2MetadataQueryDAO.java | 6 ++++-- .../server/storage/plugin/jdbc/h2/dao/H2TraceQueryDAO.java | 3 ++- .../storage/plugin/jdbc/mysql/MySQLAlarmQueryDAO.java | 3 ++- 4 files changed, 10 insertions(+), 5 deletions(-) diff --git a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2AlarmQueryDAO.java b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2AlarmQueryDAO.java index 0f4ff85086..ddba6f7bbd 100644 --- a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2AlarmQueryDAO.java +++ b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2AlarmQueryDAO.java @@ -61,7 +61,8 @@ public class H2AlarmQueryDAO implements IAlarmQueryDAO { } if (!Strings.isNullOrEmpty(keyword)) { - sql.append(" and ").append(AlarmRecord.ALARM_MESSAGE).append(" like '%").append(keyword).append("%' "); + sql.append(" and ").append(AlarmRecord.ALARM_MESSAGE).append(" like concat('%',?,'%') "); + parameters.add(keyword); } sql.append(" order by ").append(AlarmRecord.START_TIME).append(" desc "); diff --git a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetadataQueryDAO.java b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetadataQueryDAO.java index 2566ab2b5e..a22b14cd2e 100644 --- a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetadataQueryDAO.java +++ b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetadataQueryDAO.java @@ -125,7 +125,8 @@ public class H2MetadataQueryDAO implements IMetadataQueryDAO { sql.append(ServiceTraffic.NODE_TYPE).append("=?"); condition.add(NodeType.Normal.value()); if (!Strings.isNullOrEmpty(keyword)) { - sql.append(" and ").append(ServiceTraffic.NAME).append(" like \"%").append(keyword).append("%\""); + sql.append(" and ").append(ServiceTraffic.NAME).append(" like concat('%',?,'%')"); + condition.add(keyword); } sql.append(" limit ").append(metadataQueryMaxSize); @@ -175,7 +176,8 @@ public class H2MetadataQueryDAO implements IMetadataQueryDAO { sql.append(EndpointTraffic.SERVICE_ID).append("=?"); condition.add(serviceId); if (!Strings.isNullOrEmpty(keyword)) { - sql.append(" and ").append(EndpointTraffic.NAME).append(" like '%").append(keyword).append("%' "); + sql.append(" and ").append(EndpointTraffic.NAME).append(" like concat('%',?,'%') "); + condition.add(keyword); } sql.append(" limit ").append(limit); diff --git a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2TraceQueryDAO.java b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2TraceQueryDAO.java index 1928ef398e..d3ee419416 100644 --- a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2TraceQueryDAO.java +++ b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2TraceQueryDAO.java @@ -82,7 +82,8 @@ public class H2TraceQueryDAO implements ITraceQueryDAO { } } if (!Strings.isNullOrEmpty(endpointName)) { - sql.append(" and ").append(SegmentRecord.ENDPOINT_NAME).append(" like '%" + endpointName + "%'"); + sql.append(" and ").append(SegmentRecord.ENDPOINT_NAME).append(" like concat('%',?,'%')"); + parameters.add(endpointName); } if (StringUtil.isNotEmpty(serviceId)) { sql.append(" and ").append(SegmentRecord.SERVICE_ID).append(" = ?"); diff --git a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/mysql/MySQLAlarmQueryDAO.java b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/mysql/MySQLAlarmQueryDAO.java index aea77c845d..6de9425c99 100644 --- a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/mysql/MySQLAlarmQueryDAO.java +++ b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/mysql/MySQLAlarmQueryDAO.java @@ -61,7 +61,8 @@ public class MySQLAlarmQueryDAO implements IAlarmQueryDAO { } if (!Strings.isNullOrEmpty(keyword)) { - sql.append(" and ").append(AlarmRecord.ALARM_MESSAGE).append(" like '%").append(keyword).append("%' "); + sql.append(" and ").append(AlarmRecord.ALARM_MESSAGE).append(" like concat('%',?,'%') "); + parameters.add(keyword); } sql.append(" order by ").append(AlarmRecord.START_TIME).append(" desc "); -- GitLab