From 4ce2e9e87398efcee4b646af1143f4dc2ae10dc7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=90=B4=E6=99=9F=20Wu=20Sheng?= Date: Sun, 12 Apr 2020 15:44:48 +0800 Subject: [PATCH] Fix security issue of the metrics query (#4639) --- .../plugin/jdbc/h2/dao/H2MetricsQueryDAO.java | 55 +++++++++++-------- 1 file changed, 32 insertions(+), 23 deletions(-) diff --git a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetricsQueryDAO.java b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetricsQueryDAO.java index 8972d05f0d..4ab5ca3f52 100644 --- a/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetricsQueryDAO.java +++ b/oap-server/server-storage-plugin/storage-jdbc-hikaricp-plugin/src/main/java/org/apache/skywalking/oap/server/storage/plugin/jdbc/h2/dao/H2MetricsQueryDAO.java @@ -109,20 +109,24 @@ public class H2MetricsQueryDAO extends H2SQLExecutor implements IMetricsQueryDAO @Override public IntValues getLinearIntValues(String tableName, DownSampling downsampling, List ids, String valueCName) throws IOException { - StringBuilder idValues = new StringBuilder(); - for (int valueIdx = 0; valueIdx < ids.size(); valueIdx++) { - if (valueIdx != 0) { - idValues.append(","); + StringBuilder sql = new StringBuilder("select id, " + valueCName + " from " + tableName + " where id in ("); + List parameters = new ArrayList(); + for (int i = 0; i < ids.size(); i++) { + if (i == 0) { + sql.append("?"); + } else { + sql.append(",?"); } - idValues.append("'").append(ids.get(valueIdx)).append("'"); + parameters.add(ids.get(i)); } + sql.append(")"); IntValues intValues = new IntValues(); try (Connection connection = h2Client.getConnection()) { + try (ResultSet resultSet = h2Client.executeQuery( - connection, "select id, " + valueCName + " from " + tableName + " where id in (" + idValues - .toString() + ")")) { + connection, sql.toString(), parameters.toArray(new Object[0]))) { while (resultSet.next()) { KVInt kv = new KVInt(); kv.setId(resultSet.getString("id")); @@ -143,13 +147,17 @@ public class H2MetricsQueryDAO extends H2SQLExecutor implements IMetricsQueryDAO List ids, final List linearIndex, String valueCName) throws IOException { - StringBuilder idValues = new StringBuilder(); - for (int valueIdx = 0; valueIdx < ids.size(); valueIdx++) { - if (valueIdx != 0) { - idValues.append(","); + StringBuilder sql = new StringBuilder("select id, " + valueCName + " from " + tableName + " where id in ("); + List parameters = new ArrayList(); + for (int i = 0; i < ids.size(); i++) { + if (i == 0) { + sql.append("?"); + } else { + sql.append(",?"); } - idValues.append("'").append(ids.get(valueIdx)).append("'"); + parameters.add(ids.get(i)); } + sql.append(")"); IntValues[] intValuesArray = new IntValues[linearIndex.size()]; for (int i = 0; i < intValuesArray.length; i++) { @@ -158,8 +166,7 @@ public class H2MetricsQueryDAO extends H2SQLExecutor implements IMetricsQueryDAO try (Connection connection = h2Client.getConnection()) { try (ResultSet resultSet = h2Client.executeQuery( - connection, "select id, " + valueCName + " from " + tableName + " where id in (" + idValues - .toString() + ")")) { + connection, sql.toString(), parameters.toArray(new Object[0]))) { while (resultSet.next()) { String id = resultSet.getString("id"); @@ -211,13 +218,18 @@ public class H2MetricsQueryDAO extends H2SQLExecutor implements IMetricsQueryDAO @Override public Thermodynamic getThermodynamic(String tableName, DownSampling downsampling, List ids, String valueCName) throws IOException { - StringBuilder idValues = new StringBuilder(); - for (int valueIdx = 0; valueIdx < ids.size(); valueIdx++) { - if (valueIdx != 0) { - idValues.append(","); + StringBuilder sql = new StringBuilder( + "select " + ThermodynamicMetrics.STEP + " step, " + ThermodynamicMetrics.NUM_OF_STEPS + " num_of_steps, " + ThermodynamicMetrics.DETAIL_GROUP + " detail_group, " + "id " + " from " + tableName + " where id in ("); + List parameters = new ArrayList(); + for (int i = 0; i < ids.size(); i++) { + if (i == 0) { + sql.append("?"); + } else { + sql.append(",?"); } - idValues.append("'").append(ids.get(valueIdx)).append("'"); + parameters.add(ids.get(i)); } + sql.append(")"); List> thermodynamicValueCollection = new ArrayList<>(); Map> thermodynamicValueMatrix = new HashMap<>(); @@ -227,10 +239,7 @@ public class H2MetricsQueryDAO extends H2SQLExecutor implements IMetricsQueryDAO int numOfSteps = 0; int axisYStep = 0; try (ResultSet resultSet = h2Client.executeQuery( - connection, - "select " + ThermodynamicMetrics.STEP + " step, " + ThermodynamicMetrics.NUM_OF_STEPS + " num_of_steps, " + ThermodynamicMetrics.DETAIL_GROUP + " detail_group, " + "id " + " from " + tableName + " where id in (" + idValues - .toString() + ")" - )) { + connection, sql.toString(), parameters.toArray(new Object[0]))) { while (resultSet.next()) { axisYStep = resultSet.getInt("step"); -- GitLab