Skip to content

Commit 24f23b4

Browse files
XiaJunjie2020XiaJunjie2020
committed
fix: Fix possible SQL injection vulnerabilities
1 parent 3ecf2a0 commit 24f23b4

File tree

2 files changed

+60
-60
lines changed

2 files changed

+60
-60
lines changed

backend/apps/db/db.py

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -264,34 +264,34 @@ def get_schema(ds: CoreDatasource):
264264
def get_tables(ds: CoreDatasource):
265265
conf = DatasourceConf(**json.loads(aes_decrypt(ds.configuration))) if ds.type != "excel" else get_engine_config()
266266
db = DB.get_db(ds.type)
267-
sql = get_table_sql(ds, conf, get_version(ds))
267+
sql, sql_param = get_table_sql(ds, conf, get_version(ds))
268268
if db.connect_type == ConnectType.sqlalchemy:
269269
with get_session(ds) as session:
270-
with session.execute(text(sql)) as result:
270+
with session.execute(text(sql), {"param": sql_param}) as result:
271271
res = result.fetchall()
272272
res_list = [TableSchema(*item) for item in res]
273273
return res_list
274274
else:
275275
if ds.type == 'dm':
276276
with dmPython.connect(user=conf.username, password=conf.password, server=conf.host,
277277
port=conf.port) as conn, conn.cursor() as cursor:
278-
cursor.execute(sql, timeout=conf.timeout)
278+
cursor.execute(sql, {"param": sql_param}, timeout=conf.timeout)
279279
res = cursor.fetchall()
280280
res_list = [TableSchema(*item) for item in res]
281281
return res_list
282282
elif ds.type == 'doris':
283283
with pymysql.connect(user=conf.username, passwd=conf.password, host=conf.host,
284284
port=conf.port, db=conf.database, connect_timeout=conf.timeout,
285285
read_timeout=conf.timeout) as conn, conn.cursor() as cursor:
286-
cursor.execute(sql)
286+
cursor.execute(sql, {"param": sql_param})
287287
res = cursor.fetchall()
288288
res_list = [TableSchema(*item) for item in res]
289289
return res_list
290290
elif ds.type == 'redshift':
291291
with redshift_connector.connect(host=conf.host, port=conf.port, database=conf.database, user=conf.username,
292292
password=conf.password,
293293
timeout=conf.timeout) as conn, conn.cursor() as cursor:
294-
cursor.execute(sql)
294+
cursor.execute(sql, {"param": sql_param})
295295
res = cursor.fetchall()
296296
res_list = [TableSchema(*item) for item in res]
297297
return res_list
@@ -304,34 +304,34 @@ def get_tables(ds: CoreDatasource):
304304
def get_fields(ds: CoreDatasource, table_name: str = None):
305305
conf = DatasourceConf(**json.loads(aes_decrypt(ds.configuration))) if ds.type != "excel" else get_engine_config()
306306
db = DB.get_db(ds.type)
307-
sql = get_field_sql(ds, conf, table_name)
307+
sql, p1, p2 = get_field_sql(ds, conf, table_name)
308308
if db.connect_type == ConnectType.sqlalchemy:
309309
with get_session(ds) as session:
310-
with session.execute(text(sql)) as result:
310+
with session.execute(text(sql), {"param1": p1, "param2": p2}) as result:
311311
res = result.fetchall()
312312
res_list = [ColumnSchema(*item) for item in res]
313313
return res_list
314314
else:
315315
if ds.type == 'dm':
316316
with dmPython.connect(user=conf.username, password=conf.password, server=conf.host,
317317
port=conf.port) as conn, conn.cursor() as cursor:
318-
cursor.execute(sql, timeout=conf.timeout)
318+
cursor.execute(sql, {"param1": p1, "param2": p2}, timeout=conf.timeout)
319319
res = cursor.fetchall()
320320
res_list = [ColumnSchema(*item) for item in res]
321321
return res_list
322322
elif ds.type == 'doris':
323323
with pymysql.connect(user=conf.username, passwd=conf.password, host=conf.host,
324324
port=conf.port, db=conf.database, connect_timeout=conf.timeout,
325325
read_timeout=conf.timeout) as conn, conn.cursor() as cursor:
326-
cursor.execute(sql)
326+
cursor.execute(sql, {"param1": p1, "param2": p2})
327327
res = cursor.fetchall()
328328
res_list = [ColumnSchema(*item) for item in res]
329329
return res_list
330330
elif ds.type == 'redshift':
331331
with redshift_connector.connect(host=conf.host, port=conf.port, database=conf.database, user=conf.username,
332332
password=conf.password,
333333
timeout=conf.timeout) as conn, conn.cursor() as cursor:
334-
cursor.execute(sql)
334+
cursor.execute(sql, {"param1": p1, "param2": p2})
335335
res = cursor.fetchall()
336336
res_list = [ColumnSchema(*item) for item in res]
337337
return res_list

backend/apps/db/db_sql.py

Lines changed: 50 additions & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -34,17 +34,17 @@ def get_version_sql(ds: CoreDatasource, conf: DatasourceConf):
3434

3535
def get_table_sql(ds: CoreDatasource, conf: DatasourceConf, db_version: str = ''):
3636
if ds.type == "mysql" or ds.type == "doris":
37-
return f"""
37+
return """
3838
SELECT
3939
TABLE_NAME,
4040
TABLE_COMMENT
4141
FROM
4242
information_schema.TABLES
4343
WHERE
44-
TABLE_SCHEMA = '{conf.database}'
45-
"""
44+
TABLE_SCHEMA = :param
45+
""", conf.database
4646
elif ds.type == "sqlServer":
47-
return f"""
47+
return """
4848
SELECT
4949
TABLE_NAME AS [TABLE_NAME],
5050
ISNULL(ep.value, '') AS [TABLE_COMMENT]
@@ -57,97 +57,97 @@ def get_table_sql(ds: CoreDatasource, conf: DatasourceConf, db_version: str = ''
5757
AND ep.name = 'MS_Description'
5858
WHERE
5959
t.TABLE_TYPE IN ('BASE TABLE', 'VIEW')
60-
AND t.TABLE_SCHEMA = '{conf.dbSchema}'
61-
"""
60+
AND t.TABLE_SCHEMA = :param
61+
""", conf.dbSchema
6262
elif ds.type == "pg" or ds.type == "excel":
63-
return f"""
63+
return """
6464
SELECT c.relname AS TABLE_NAME,
6565
COALESCE(d.description, obj_description(c.oid)) AS TABLE_COMMENT
6666
FROM pg_class c
6767
LEFT JOIN
6868
pg_namespace n ON n.oid = c.relnamespace
6969
LEFT JOIN
7070
pg_description d ON d.objoid = c.oid AND d.objsubid = 0
71-
WHERE n.nspname = '{conf.dbSchema}'
71+
WHERE n.nspname = :param
7272
AND c.relkind IN ('r', 'v', 'p', 'm')
7373
AND c.relname NOT LIKE 'pg_%'
7474
AND c.relname NOT LIKE 'sql_%'
7575
ORDER BY c.relname \
76-
"""
76+
""", conf.dbSchema
7777
elif ds.type == "oracle":
78-
return f"""
78+
return """
7979
SELECT
8080
t.TABLE_NAME AS "TABLE_NAME",
8181
NVL(c.COMMENTS, '') AS "TABLE_COMMENT"
8282
FROM (
8383
SELECT TABLE_NAME, 'TABLE' AS OBJECT_TYPE
8484
FROM DBA_TABLES
85-
WHERE OWNER = '{conf.dbSchema}'
85+
WHERE OWNER = :param
8686
UNION ALL
8787
SELECT VIEW_NAME AS TABLE_NAME, 'VIEW' AS OBJECT_TYPE
8888
FROM DBA_VIEWS
89-
WHERE OWNER = '{conf.dbSchema}'
89+
WHERE OWNER = :param
9090
) t
9191
LEFT JOIN DBA_TAB_COMMENTS c
9292
ON t.TABLE_NAME = c.TABLE_NAME
9393
AND c.TABLE_TYPE = t.OBJECT_TYPE
94-
AND c.OWNER = '{conf.dbSchema}'
94+
AND c.OWNER = :param
9595
ORDER BY t.TABLE_NAME
96-
"""
96+
""", conf.dbSchema
9797
elif ds.type == "ck":
9898
version = int(db_version.split('.')[0])
9999
if version < 22:
100-
return f"""
100+
return """
101101
SELECT name, null as comment
102102
FROM system.tables
103-
WHERE database = '{conf.database}'
103+
WHERE database = :param
104104
AND engine NOT IN ('Dictionary')
105105
ORDER BY name
106-
"""
106+
""", conf.database
107107
else:
108-
return f"""
108+
return """
109109
SELECT name, comment
110110
FROM system.tables
111-
WHERE database = '{conf.database}'
111+
WHERE database = :param
112112
AND engine NOT IN ('Dictionary')
113113
ORDER BY name
114-
"""
114+
""", conf.database
115115
elif ds.type == 'dm':
116-
return f"""
116+
return """
117117
select table_name, comments
118118
from all_tab_comments
119-
where owner='{conf.dbSchema}'
119+
where owner=:param
120120
AND (table_type = 'TABLE' or table_type = 'VIEW')
121-
"""
121+
""", conf.dbSchema
122122
elif ds.type == 'redshift':
123-
return f"""
123+
return """
124124
SELECT
125125
relname AS TableName,
126126
obj_description(relfilenode::regclass, 'pg_class') AS TableDescription
127127
FROM
128128
pg_class
129129
WHERE
130130
relkind in ('r','p', 'f')
131-
AND relnamespace = (SELECT oid FROM pg_namespace WHERE nspname = '{conf.dbSchema}')
132-
"""
131+
AND relnamespace = (SELECT oid FROM pg_namespace WHERE nspname = :param)
132+
""", conf.dbSchema
133133

134134

135135
def get_field_sql(ds: CoreDatasource, conf: DatasourceConf, table_name: str = None):
136136
if ds.type == "mysql" or ds.type == "doris":
137-
sql1 = f"""
137+
sql1 = """
138138
SELECT
139139
COLUMN_NAME,
140140
DATA_TYPE,
141141
COLUMN_COMMENT
142142
FROM
143143
INFORMATION_SCHEMA.COLUMNS
144144
WHERE
145-
TABLE_SCHEMA = '{conf.database}'
145+
TABLE_SCHEMA = :param1
146146
"""
147-
sql2 = f" AND TABLE_NAME = '{table_name}'" if table_name is not None and table_name != "" else ""
148-
return sql1 + sql2
147+
sql2 = " AND TABLE_NAME = :param2" if table_name is not None and table_name != "" else ""
148+
return sql1 + sql2, conf.database, table_name
149149
elif ds.type == "sqlServer":
150-
sql1 = f"""
150+
sql1 = """
151151
SELECT
152152
COLUMN_NAME AS [COLUMN_NAME],
153153
DATA_TYPE AS [DATA_TYPE],
@@ -160,12 +160,12 @@ def get_field_sql(ds: CoreDatasource, conf: DatasourceConf, table_name: str = No
160160
AND EP.minor_id = C.ORDINAL_POSITION
161161
AND EP.name = 'MS_Description'
162162
WHERE
163-
C.TABLE_SCHEMA = '{conf.dbSchema}'
163+
C.TABLE_SCHEMA = :param1
164164
"""
165-
sql2 = f" AND C.TABLE_NAME = '{table_name}'" if table_name is not None and table_name != "" else ""
166-
return sql1 + sql2
165+
sql2 = " AND C.TABLE_NAME = :param2" if table_name is not None and table_name != "" else ""
166+
return sql1 + sql2, conf.dbSchema, table_name
167167
elif ds.type == "pg" or ds.type == "excel" or ds.type == "redshift":
168-
sql1 = f"""
168+
sql1 = """
169169
SELECT a.attname AS COLUMN_NAME,
170170
pg_catalog.format_type(a.atttypid, a.atttypmod) AS DATA_TYPE,
171171
col_description(c.oid, a.attnum) AS COLUMN_COMMENT
@@ -174,14 +174,14 @@ def get_field_sql(ds: CoreDatasource, conf: DatasourceConf, table_name: str = No
174174
pg_catalog.pg_class c ON a.attrelid = c.oid
175175
JOIN
176176
pg_catalog.pg_namespace n ON n.oid = c.relnamespace
177-
WHERE n.nspname = '{conf.dbSchema}'
177+
WHERE n.nspname = :param1
178178
AND a.attnum > 0
179179
AND NOT a.attisdropped \
180180
"""
181-
sql2 = f" AND c.relname = '{table_name}'" if table_name is not None and table_name != "" else ""
182-
return sql1 + sql2
181+
sql2 = " AND c.relname = :param2" if table_name is not None and table_name != "" else ""
182+
return sql1 + sql2, conf.dbSchema, table_name
183183
elif ds.type == "oracle":
184-
sql1 = f"""
184+
sql1 = """
185185
SELECT
186186
col.COLUMN_NAME AS "COLUMN_NAME",
187187
(CASE
@@ -201,23 +201,23 @@ def get_field_sql(ds: CoreDatasource, conf: DatasourceConf, table_name: str = No
201201
AND col.TABLE_NAME = com.TABLE_NAME
202202
AND col.COLUMN_NAME = com.COLUMN_NAME
203203
WHERE
204-
col.OWNER = '{conf.dbSchema}'
204+
col.OWNER = :param1
205205
"""
206-
sql2 = f" AND col.TABLE_NAME = '{table_name}'" if table_name is not None and table_name != "" else ""
207-
return sql1 + sql2
206+
sql2 = " AND col.TABLE_NAME = :param2" if table_name is not None and table_name != "" else ""
207+
return sql1 + sql2, conf.dbSchema, table_name
208208
elif ds.type == "ck":
209-
sql1 = f"""
209+
sql1 = """
210210
SELECT
211211
name AS COLUMN_NAME,
212212
type AS DATA_TYPE,
213213
comment AS COLUMN_COMMENT
214214
FROM system.columns
215-
WHERE database = '{conf.database}'
215+
WHERE database = :param1
216216
"""
217-
sql2 = f" AND table = '{table_name}'" if table_name is not None and table_name != "" else ""
218-
return sql1 + sql2
217+
sql2 = " AND table = :param2" if table_name is not None and table_name != "" else ""
218+
return sql1 + sql2, conf.database, table_name
219219
elif ds.type == 'dm':
220-
sql1 = f"""
220+
sql1 = """
221221
SELECT
222222
c.COLUMN_NAME AS "COLUMN_NAME",
223223
c.DATA_TYPE AS "DATA_TYPE",
@@ -230,7 +230,7 @@ def get_field_sql(ds: CoreDatasource, conf: DatasourceConf, table_name: str = No
230230
AND c.TABLE_NAME = com.TABLE_NAME
231231
AND c.COLUMN_NAME = com.COLUMN_NAME
232232
WHERE
233-
c.OWNER = '{conf.dbSchema}'
233+
c.OWNER = :param1
234234
"""
235-
sql2 = f" AND c.TABLE_NAME = '{table_name}'" if table_name is not None and table_name != "" else ""
236-
return sql1 + sql2
235+
sql2 = " AND c.TABLE_NAME = :param2" if table_name is not None and table_name != "" else ""
236+
return sql1 + sql2, conf.dbSchema, table_name

0 commit comments

Comments
 (0)