[PR] [minor] Fix SQL injection vulnerabilities in OceanBase connector [flink-cdc]

via GitHub Wed, 17 Sep 2025 23:28:59 -0700


yuanoOo opened a new pull request, #4124:
URL: https://github.com/apache/flink-cdc/pull/4124


   ## Description
   
   Fixes SQL injection vulnerabilities in OceanBase connector's 
`databaseExists` and `tableExists` methods by replacing string concatenation 
with parameterized queries.
   
   ## Changes
   
   - **OceanBaseCatalog.java**: Added parameterized query support to 
`executeSingleColumnStatement`
   - **OceanBaseMySQLCatalog.java**: Fixed `databaseExists` and `tableExists` 
to use `PreparedStatement`
   - **OceanBaseTestMySQLCatalog.java**: Updated method signature
   - **Tests**: Added SQL injection prevention test cases
   
   ## Security Analysis
   
   - **Fixed**: `databaseExists` and `tableExists` methods now use 
parameterized queries
   - **Already Secure**: `createTable` method uses proper identifier quoting 
with backticks, no changes needed
   
   ## Security Fix
   
   **Before**: `String.format("SELECT ... WHERE SCHEMA_NAME = '%s'", 
databaseName)` ❌
   **After**: `PreparedStatement` with parameterized queries ✅


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[PR] [minor] Fix SQL injection vulnerabilities in OceanBase connector [flink-cdc]

Reply via email to