Re: [PR] [ZEPPELIN-3725] fix searching user using JdbcRealm [zeppelin]

[via GitHub]

sh1nj1 commented on code in PR #4926:
URL: https://github.com/apache/zeppelin/pull/4926#discussion_r2067744980


##########
zeppelin-server/src/main/java/org/apache/zeppelin/service/ShiroAuthenticationService.java:
##########
@@ -415,26 +424,39 @@ private List<String> getUserList(JdbcRealm obj) {
     try {
       dataSource = (DataSource) FieldUtils.readField(obj, "dataSource", true);
       authQuery = (String) FieldUtils.readField(obj, "authenticationQuery", 
true);
-      LOGGER.info(authQuery);
+      LOGGER.debug("authenticationQuery={}", authQuery);
       String authQueryLowerCase = authQuery.toLowerCase();
       retval = authQueryLowerCase.split("from", 2);
       if (retval.length >= 2) {
         retval = retval[1].split("with|where", 2);
-        tablename = retval[0];
+        tablename = retval[0].trim();
         retval = retval[1].split("where", 2);
         if (retval.length >= 2) {
           retval = retval[1].split("=", 2);
         } else {
           retval = retval[0].split("=", 2);
         }
-        username = retval[0];
+        username = retval[0].trim();
       }
 
       if (StringUtils.isBlank(username) || StringUtils.isBlank(tablename)) {
         return userlist;
       }
+         if (!isValidSqlIdentifier(username)) {
+           throw new IllegalArgumentException(
+             "Invalid column name in authenticationQuery to build userlist 
query: "
+                                 + authQuery + ", allowed pattern: " + 
VALID_SQL_NAME_IDENTIFIER_PATTERN
+                                 + ", name identifier: [" + username + "]");
+         }
+         if (!isValidSqlIdentifier(tablename)) {
+           throw new IllegalArgumentException(
+             "Invalid table name in authenticationQuery to build userlist 
query: "
+                                 + authQuery + ", allowed pattern: " + 
VALID_SQL_NAME_IDENTIFIER_PATTERN
+                                 + ", name identifier: [" + tablename + "]");
+         }
 
-      userquery = "SELECT ? FROM ?";
+         userquery = String.format("SELECT %s FROM %s WHERE %s LIKE ?", 
username, tablename, username);

Review Comment:
   > `SELECT ? FROM ? WHERE ? LIKE ?`
   
   that's the point, previous PR use this form rather than String.format but it 
misuse `PreparedStatement`, so that it creates error.
   
   So I changed and I added some validation for username and tablename for the 
possible SQL Injection that previous PR tried to implement.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscr...@zeppelin.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org