Repository: zeppelin Updated Branches: refs/heads/master 3a57fc293 -> 709c5a70a
[ZEPPELIN-2769] Prevent SQL injection for GetUserList.getUserList. ### What is this PR for? Prevent SQL injection for ```GetUserList.getUserList```. ### What type of PR is it? Improvement ### What is the Jira issue? https://issues.apache.org/jira/browse/ZEPPELIN-2769 Author: Yanbo Liang <yblia...@gmail.com> Closes #2487 from yanboliang/zeppelin-2769 and squashes the following commits: d1a7ff9b [Yanbo Liang] Prevent SQL injection for GetUserList.getUserList. Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/709c5a70 Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/709c5a70 Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/709c5a70 Branch: refs/heads/master Commit: 709c5a70a8f37277c9eea0a1c0c9195b5eb21a74 Parents: 3a57fc2 Author: Yanbo Liang <yblia...@gmail.com> Authored: Wed Jul 12 15:25:05 2017 +0800 Committer: 1ambda <1am...@gmail.com> Committed: Mon Jul 17 13:45:25 2017 +0900 ---------------------------------------------------------------------- .../src/main/java/org/apache/zeppelin/rest/GetUserList.java | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/zeppelin/blob/709c5a70/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java ---------------------------------------------------------------------- diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java b/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java index c0270dd..458d5bd 100644 --- a/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java +++ b/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java @@ -231,7 +231,7 @@ public class GetUserList { return userlist; } - userquery = "select " + username + " from " + tablename; + userquery = "select ? from ?"; } catch (IllegalAccessException e) { LOG.error("Error while accessing dataSource for JDBC Realm", e); @@ -241,6 +241,8 @@ public class GetUserList { try { Connection con = dataSource.getConnection(); ps = con.prepareStatement(userquery); + ps.setString(1, username); + ps.setString(2, tablename); rs = ps.executeQuery(); while (rs.next()) { userlist.add(rs.getString(1).trim());