fix: Fix possible SQL injection vulnerabilities

Author: XiaJunjie2020

backend/apps/db/db.py

@@ -283,15 +283,15 @@ def get_tables(ds: CoreDatasource):
             with pymysql.connect(user=conf.username, passwd=conf.password, host=conf.host,
                                  port=conf.port, db=conf.database, connect_timeout=conf.timeout,
                                  read_timeout=conf.timeout) as conn, conn.cursor() as cursor:
-                cursor.execute(sql, {"param": sql_param})
+                cursor.execute(sql, (sql_param,))
                 res = cursor.fetchall()
                 res_list = [TableSchema(*item) for item in res]
                 return res_list
         elif ds.type == 'redshift':
             with redshift_connector.connect(host=conf.host, port=conf.port, database=conf.database, user=conf.username,
                                             password=conf.password,
                                             timeout=conf.timeout) as conn, conn.cursor() as cursor:
-                cursor.execute(sql, {"param": sql_param})
+                cursor.execute(sql, (sql_param,))
                 res = cursor.fetchall()
                 res_list = [TableSchema(*item) for item in res]
                 return res_list
@@ -323,15 +323,15 @@ def get_fields(ds: CoreDatasource, table_name: str = None):
             with pymysql.connect(user=conf.username, passwd=conf.password, host=conf.host,
                                  port=conf.port, db=conf.database, connect_timeout=conf.timeout,
                                  read_timeout=conf.timeout) as conn, conn.cursor() as cursor:
-                cursor.execute(sql, {"param1": p1, "param2": p2})
+                cursor.execute(sql, (p1, p2))
                 res = cursor.fetchall()
                 res_list = [ColumnSchema(*item) for item in res]
                 return res_list
         elif ds.type == 'redshift':
             with redshift_connector.connect(host=conf.host, port=conf.port, database=conf.database, user=conf.username,
                                             password=conf.password,
                                             timeout=conf.timeout) as conn, conn.cursor() as cursor:
-                cursor.execute(sql, {"param1": p1, "param2": p2})
+                cursor.execute(sql, (p1, p2))
                 res = cursor.fetchall()
                 res_list = [ColumnSchema(*item) for item in res]
                 return res_list

backend/apps/db/db_sql.py

@@ -33,7 +33,7 @@ def get_version_sql(ds: CoreDatasource, conf: DatasourceConf):
 
 
 def get_table_sql(ds: CoreDatasource, conf: DatasourceConf, db_version: str = ''):
-    if ds.type == "mysql" or ds.type == "doris":
+    if ds.type == "mysql":
         return """
                 SELECT 
                     TABLE_NAME, 
@@ -128,8 +128,18 @@ def get_table_sql(ds: CoreDatasource, conf: DatasourceConf, db_version: str = ''
                   pg_class 
                 WHERE 
                   relkind in  ('r','p', 'f') 
-                  AND relnamespace = (SELECT oid FROM pg_namespace WHERE nspname = :param)
+                  AND relnamespace = (SELECT oid FROM pg_namespace WHERE nspname = %s)
                 """, conf.dbSchema
+    elif ds.type == "doris":
+        return """
+                SELECT 
+                    TABLE_NAME, 
+                    TABLE_COMMENT
+                FROM 
+                    information_schema.TABLES
+                WHERE 
+                    TABLE_SCHEMA = %s
+                """, conf.database
 
 
 def get_field_sql(ds: CoreDatasource, conf: DatasourceConf, table_name: str = None):
@@ -164,7 +174,7 @@ def get_field_sql(ds: CoreDatasource, conf: DatasourceConf, table_name: str = No
                 """
         sql2 = " AND C.TABLE_NAME = :param2" if table_name is not None and table_name != "" else ""
         return sql1 + sql2, conf.dbSchema, table_name
-    elif ds.type == "pg" or ds.type == "excel" or ds.type == "redshift":
+    elif ds.type == "pg" or ds.type == "excel":
         sql1 = """
                SELECT a.attname                                       AS COLUMN_NAME,
                       pg_catalog.format_type(a.atttypid, a.atttypmod) AS DATA_TYPE,
@@ -180,6 +190,22 @@ def get_field_sql(ds: CoreDatasource, conf: DatasourceConf, table_name: str = No
                """
         sql2 = " AND c.relname = :param2" if table_name is not None and table_name != "" else ""
         return sql1 + sql2, conf.dbSchema, table_name
+    elif ds.type == "redshift":
+        sql1 = """
+               SELECT a.attname                                       AS COLUMN_NAME,
+                      pg_catalog.format_type(a.atttypid, a.atttypmod) AS DATA_TYPE,
+                      col_description(c.oid, a.attnum)                AS COLUMN_COMMENT
+               FROM pg_catalog.pg_attribute a
+                        JOIN
+                    pg_catalog.pg_class c ON a.attrelid = c.oid
+                        JOIN
+                    pg_catalog.pg_namespace n ON n.oid = c.relnamespace
+               WHERE n.nspname = %s
+                 AND a.attnum > 0
+                 AND NOT a.attisdropped \
+               """
+        sql2 = " AND c.relname = %s" if table_name is not None and table_name != "" else ""
+        return sql1 + sql2, conf.dbSchema, table_name
     elif ds.type == "oracle":
         sql1 = """
                 SELECT 
@@ -234,3 +260,16 @@ def get_field_sql(ds: CoreDatasource, conf: DatasourceConf, table_name: str = No
                 """
         sql2 = " AND c.TABLE_NAME = :param2" if table_name is not None and table_name != "" else ""
         return sql1 + sql2, conf.dbSchema, table_name
+    elif ds.type == "doris":
+        sql1 = """
+                SELECT 
+                    COLUMN_NAME,
+                    DATA_TYPE,
+                    COLUMN_COMMENT
+                FROM 
+                    INFORMATION_SCHEMA.COLUMNS
+                WHERE 
+                    TABLE_SCHEMA = %s
+                """
+        sql2 = " AND TABLE_NAME = %s" if table_name is not None and table_name != "" else ""
+        return sql1 + sql2, conf.database, table_name