Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

手动拼接sql参数存在SQL注入风险 #3382

Closed
ztycool opened this issue Jul 19, 2020 · 3 comments · Fixed by #3393
Closed

手动拼接sql参数存在SQL注入风险 #3382

ztycool opened this issue Jul 19, 2020 · 3 comments · Fixed by #3393
Labels
contribution welcome kind/enhancement Category issues or prs related to enhancement.

Comments

@ztycool
Copy link

ztycool commented Jul 19, 2020

版本1.3.1
方法:

  1. com.alibaba.nacos.config.server.service.repository.embedded.EmbeddedStoragePersistServiceImpl#configInfoCount(java.lang.String)
  2. com.alibaba.nacos.config.server.service.repository.extrnal.ExternalStoragePersistServiceImpl#configInfoCount(java.lang.String)
    sql
@KomachiSion
Copy link
Collaborator

Yes, it is. But I think we have pre-check for the tenant and namesapceId, it can't include special characters except -,_.

@chuntaojun
Copy link
Collaborator

Yes, it is. But I think we have pre-check for the tenant and namesapceId, it can't include special characters except -,_.

and use PrepareStatement is better

@ztycool
Copy link
Author

ztycool commented Jul 20, 2020

@KomachiSion
api接口:com.alibaba.nacos.console.controller.NamespaceController#getNamespace
在这个接口上可以接收任意参数,恶意注入风险还是存在的

@KomachiSion KomachiSion added kind/enhancement Category issues or prs related to enhancement. and removed kind/research labels Jul 21, 2020
@KomachiSion KomachiSion mentioned this issue Aug 4, 2020
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
contribution welcome kind/enhancement Category issues or prs related to enhancement.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants