phoenix-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rajeshb...@apache.org
Subject phoenix git commit: PHOENIX-3613 Avoid possible SQL Injection with proper input validations(Rajeshbabu)
Date Fri, 20 Jan 2017 17:33:19 GMT
Repository: phoenix
Updated Branches:
  refs/heads/4.8-HBase-1.1 2939ca123 -> 9d64bc3ee


PHOENIX-3613 Avoid possible SQL Injection with proper input validations(Rajeshbabu)


Project: http://git-wip-us.apache.org/repos/asf/phoenix/repo
Commit: http://git-wip-us.apache.org/repos/asf/phoenix/commit/9d64bc3e
Tree: http://git-wip-us.apache.org/repos/asf/phoenix/tree/9d64bc3e
Diff: http://git-wip-us.apache.org/repos/asf/phoenix/diff/9d64bc3e

Branch: refs/heads/4.8-HBase-1.1
Commit: 9d64bc3ee29cf18fda7cea548e0d36dbc2f12119
Parents: 2939ca1
Author: Rajeshbabu Chintaguntla <rajeshbabu@apache.org>
Authored: Fri Jan 20 23:15:25 2017 +0530
Committer: Rajeshbabu Chintaguntla <rajeshbabu@apache.org>
Committed: Fri Jan 20 23:15:25 2017 +0530

----------------------------------------------------------------------
 .../tracingwebapp/http/EntityFactory.java       | 19 +-----------------
 .../tracingwebapp/http/TraceServlet.java        | 21 ++++++++++++++++++--
 2 files changed, 20 insertions(+), 20 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/phoenix/blob/9d64bc3e/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/EntityFactory.java
----------------------------------------------------------------------
diff --git a/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/EntityFactory.java
b/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/EntityFactory.java
index afb6312..a17630d 100644
--- a/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/EntityFactory.java
+++ b/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/EntityFactory.java
@@ -39,29 +39,12 @@ public class EntityFactory {
     this.connection = connection;
   }
 
-  public Map<String, Object> findSingle(Object[] params) throws SQLException {
-    List<Map<String, Object>> objects = this.findMultiple(params);
-
-    if (objects.size() != 1) {
-      throw new SQLException("Query did not produce one object it produced: "
-          + objects.size() + " objects.");
-    }
-
-    Map<String, Object> object = objects.get(0); // get first record;
-
-    return object;
-  }
-
-  public List<Map<String, Object>> findMultiple(Object[] params)
+  public List<Map<String, Object>> findMultiple()
       throws SQLException {
     ResultSet rs = null;
     PreparedStatement ps = null;
     try {
       ps = this.connection.prepareStatement(this.queryString);
-      for (int i = 0; i < params.length; ++i) {
-        ps.setObject(1, params[i]);
-      }
-
       rs = ps.executeQuery();
       return getEntitiesFromResultSet(rs);
     } catch (SQLException e) {

http://git-wip-us.apache.org/repos/asf/phoenix/blob/9d64bc3e/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/TraceServlet.java
----------------------------------------------------------------------
diff --git a/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/TraceServlet.java
b/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/TraceServlet.java
index de047ba..c20b20d 100755
--- a/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/TraceServlet.java
+++ b/phoenix-tracing-webapp/src/main/java/org/apache/phoenix/tracingwebapp/http/TraceServlet.java
@@ -25,7 +25,7 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.codehaus.jackson.map.ObjectMapper;
-
+import org.apache.phoenix.metrics.MetricInfo;
 import java.sql.Connection;
 import java.sql.SQLException;
 import java.util.List;
@@ -82,6 +82,11 @@ public class TraceServlet extends HttpServlet {
     if(limit == null) {
       limit = DEFAULT_LIMIT;
     }
+    try{
+        Long.parseLong(limit);
+    } catch (NumberFormatException e) {
+    	throw new RuntimeException("The LIMIT passed to the query is not a number.", e);
+    }
     String sqlQuery = "SELECT * FROM " + TRACING_TABLE + " LIMIT "+limit;
     json = getResults(sqlQuery);
     return getJson(json);
@@ -93,6 +98,8 @@ public class TraceServlet extends HttpServlet {
     if(countby == null) {
       countby = DEFAULT_COUNTBY;
     }
+    // Throws exception if the column not present in the trace table.
+    MetricInfo.getColumnName(countby.toLowerCase());
     String sqlQuery = "SELECT "+countby+", COUNT(*) AS count FROM " + TRACING_TABLE + " GROUP
BY "+countby+" HAVING COUNT(*) > 1 ";
     json = getResults(sqlQuery);
     return json;
@@ -102,6 +109,16 @@ public class TraceServlet extends HttpServlet {
   protected String searchTrace(String parentId, String traceId,String logic) {
     String json = null;
     String query = null;
+    // Check the parent Id, trace id type or long or not.
+    try {
+        Long.parseLong(parentId);
+        Long.parseLong(traceId);
+    } catch (NumberFormatException e) {
+    	throw new RuntimeException("The passed parentId/traceId is not a number.", e);
+    }
+    if(!logic.equals(LOGIC_AND) || !logic.equals(LOGIC_OR)) {
+    	throw new RuntimeException("Wrong logical operator passed to the query. Only "+ LOGIC_AND+","+LOGIC_OR+"
are allowed.") ;
+    }
     if(parentId != null && traceId != null) {
       query = "SELECT * FROM " + TRACING_TABLE + " WHERE parent_id="+parentId+" "+logic+"
trace_id="+traceId;
     }else if (parentId != null && traceId == null) {
@@ -132,7 +149,7 @@ public class TraceServlet extends HttpServlet {
       con = ConnectionFactory.getConnection();
       EntityFactory nutrientEntityFactory = new EntityFactory(con,sqlQuery);
       List<Map<String, Object>> nutrients = nutrientEntityFactory
-          .findMultiple(new Object[] {});
+          .findMultiple();
       ObjectMapper mapper = new ObjectMapper();
       json = mapper.writeValueAsString(nutrients);
     } catch (Exception e) {


Mime
View raw message