Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Improvement] Possible SQL injection in MysqlDatabaseOperations.java and JdbcDatabaseOperations.java #3026

Open
justinmclean opened this issue Apr 19, 2024 · 6 comments
Assignees
Labels
good first issue Good for newcomers improvement Improvements on everything

Comments

@justinmclean
Copy link
Member

What would you like to be improved?

The database name should be validated before but used to construct an SQL to show tables. (Search for "SHOW TABLES IN".) Note that the SQL strings are also built in different ways in each file and probably should be built the same way.

How should we improve?

Validate the name or use query parameters.

@justinmclean justinmclean added good first issue Good for newcomers improvement Improvements on everything labels Apr 19, 2024
@lw-yang
Copy link
Contributor

lw-yang commented Apr 19, 2024

i will fix it, could you assign it to me ?

@shaofengshi
Copy link
Contributor

Pls go ahead, lw-yang!

@jerryshao jerryshao added this to the Gravitino June Release milestone Apr 24, 2024
@justinmclean
Copy link
Member Author

@lw-yang do you still want to work on this?

@lw-yang
Copy link
Contributor

lw-yang commented Jul 29, 2024

Yes, i will complete it this week.

@lw-yang
Copy link
Contributor

lw-yang commented Aug 5, 2024

@justinmclean It has been validated by

return applyCapabilities(schemaIdent, Capability.Scope.SCHEMA, capabilities);

@YuanG0319tt
Copy link

Was this ticket still open?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
good first issue Good for newcomers improvement Improvements on everything
Projects
None yet
Development

No branches or pull requests

5 participants