PHOENIX-3613 Avoid possible SQL Injection with proper input validations(Rajeshbabu)
Project: http://git-wip-us.apache.org/repos/asf/phoenix/repo Commit: http://git-wip-us.apache.org/repos/asf/phoenix/commit/2fd9b086 Tree: http://git-wip-us.apache.org/repos/asf/phoenix/tree/2fd9b086 Diff: http://git-wip-us.apache.org/repos/asf/phoenix/diff/2fd9b086 Branch: refs/heads/encodecolumns2 Commit: 2fd9b08614606004f56fa19885406e97e7e4ea80 Parents: 88078fd Author: Rajeshbabu Chintaguntla <rajeshb...@apache.org> Authored: Fri Jan 20 23:13:32 2017 +0530 Committer: Rajeshbabu Chintaguntla <rajeshb...@apache.org> Committed: Fri Jan 20 23:13:32 2017 +0530 ---------------------------------------------------------------------- .../tracingwebapp/http/EntityFactory.java | 19 +----------------- .../tracingwebapp/http/TraceServlet.java | 21 ++++++++++++++++++-- 2 files changed, 20 insertions(+), 20 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/phoenix/blob/2fd9b086/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/EntityFactory.java ---------------------------------------------------------------------- diff --git a/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/EntityFactory.java b/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/EntityFactory.java index afb6312..a17630d 100644 --- a/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/EntityFactory.java +++ b/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/EntityFactory.java @@ -39,29 +39,12 @@ public class EntityFactory { this.connection = connection; } - public Map<String, Object> findSingle(Object[] params) throws SQLException { - List<Map<String, Object>> objects = this.findMultiple(params); - - if (objects.size() != 1) { - throw new SQLException("Query did not produce one object it produced: " - + objects.size() + " objects."); - } - - Map<String, Object> object = objects.get(0); // get first record; - - return object; - } - - public List<Map<String, Object>> findMultiple(Object[] params) + public List<Map<String, Object>> findMultiple() throws SQLException { ResultSet rs = null; PreparedStatement ps = null; try { ps = this.connection.prepareStatement(this.queryString); - for (int i = 0; i < params.length; ++i) { - ps.setObject(1, params[i]); - } - rs = ps.executeQuery(); return getEntitiesFromResultSet(rs); } catch (SQLException e) { http://git-wip-us.apache.org/repos/asf/phoenix/blob/2fd9b086/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/TraceServlet.java ---------------------------------------------------------------------- diff --git a/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/TraceServlet.java b/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/TraceServlet.java index de047ba..c20b20d 100755 --- a/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/TraceServlet.java +++ b/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/TraceServlet.java @@ -25,7 +25,7 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import org.codehaus.jackson.map.ObjectMapper; - +import org.apache.phoenix.metrics.MetricInfo; import java.sql.Connection; import java.sql.SQLException; import java.util.List; @@ -82,6 +82,11 @@ public class TraceServlet extends HttpServlet { if(limit == null) { limit = DEFAULT_LIMIT; } + try{ + Long.parseLong(limit); + } catch (NumberFormatException e) { + throw new RuntimeException("The LIMIT passed to the query is not a number.", e); + } String sqlQuery = "SELECT * FROM " + TRACING_TABLE + " LIMIT "+limit; json = getResults(sqlQuery); return getJson(json); @@ -93,6 +98,8 @@ public class TraceServlet extends HttpServlet { if(countby == null) { countby = DEFAULT_COUNTBY; } + // Throws exception if the column not present in the trace table. + MetricInfo.getColumnName(countby.toLowerCase()); String sqlQuery = "SELECT "+countby+", COUNT(*) AS count FROM " + TRACING_TABLE + " GROUP BY "+countby+" HAVING COUNT(*) > 1 "; json = getResults(sqlQuery); return json; @@ -102,6 +109,16 @@ public class TraceServlet extends HttpServlet { protected String searchTrace(String parentId, String traceId,String logic) { String json = null; String query = null; + // Check the parent Id, trace id type or long or not. + try { + Long.parseLong(parentId); + Long.parseLong(traceId); + } catch (NumberFormatException e) { + throw new RuntimeException("The passed parentId/traceId is not a number.", e); + } + if(!logic.equals(LOGIC_AND) || !logic.equals(LOGIC_OR)) { + throw new RuntimeException("Wrong logical operator passed to the query. Only "+ LOGIC_AND+","+LOGIC_OR+" are allowed.") ; + } if(parentId != null && traceId != null) { query = "SELECT * FROM " + TRACING_TABLE + " WHERE parent_id="+parentId+" "+logic+" trace_id="+traceId; }else if (parentId != null && traceId == null) { @@ -132,7 +149,7 @@ public class TraceServlet extends HttpServlet { con = ConnectionFactory.getConnection(); EntityFactory nutrientEntityFactory = new EntityFactory(con,sqlQuery); List<Map<String, Object>> nutrients = nutrientEntityFactory - .findMultiple(new Object[] {}); + .findMultiple(); ObjectMapper mapper = new ObjectMapper(); json = mapper.writeValueAsString(nutrients); } catch (Exception e) {