[apache#4211] improvement(catalog-jdbc-mysql): Validated databaseName…

… preventing possible SQL injection in MysqlDatabaseOperations.java
ria28 · Jul 20, 2024 · b4e937b · b4e937b
1 parent ba75c86
commit b4e937b
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/...l/src/main/java/org/apache/gravitino/catalog/mysql/operation/MysqlDatabaseOperations.java b/...l/src/main/java/org/apache/gravitino/catalog/mysql/operation/MysqlDatabaseOperations.java
@@ -23,12 +23,8 @@
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Locale;
-import java.util.Map;
-import java.util.Set;
+import java.util.*;
+
 import org.apache.commons.collections4.MapUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.gravitino.StringIdentifier;
@@ -75,6 +71,7 @@ public String generateCreateDatabaseSql(
 
   @Override
   public String generateDropDatabaseSql(String databaseName, boolean cascade) {
+    validateDatabaseName(databaseName);
     final String dropDatabaseSql = "DROP DATABASE `" + databaseName + "`";
     if (cascade) {
       return dropDatabaseSql;
@@ -120,4 +117,10 @@ public JdbcSchema load(String databaseName) throws NoSuchSchemaException {
   protected boolean isSystemDatabase(String dbName) {
     return SYS_MYSQL_DATABASE_NAMES.contains(dbName.toLowerCase(Locale.ROOT));
   }
+
+  public void validateDatabaseName(String databaseName){
+    if(Objects.isNull(databaseName) || databaseName.trim().isEmpty()){
+      throw new IllegalArgumentException("Database name cannot be null or empty.");
+    }
+  }
 }