手动拼接sql参数存在SQL注入风险 #3382

ztycool · 2020-07-19T16:15:14Z

版本1.3.1
方法：

com.alibaba.nacos.config.server.service.repository.embedded.EmbeddedStoragePersistServiceImpl#configInfoCount(java.lang.String)
com.alibaba.nacos.config.server.service.repository.extrnal.ExternalStoragePersistServiceImpl#configInfoCount(java.lang.String)

KomachiSion · 2020-07-20T01:28:24Z

Yes, it is. But I think we have pre-check for the tenant and namesapceId, it can't include special characters except -,_.

chuntaojun · 2020-07-20T02:08:27Z

Yes, it is. But I think we have pre-check for the tenant and namesapceId, it can't include special characters except -,_.

and use PrepareStatement is better

ztycool · 2020-07-20T03:21:52Z

@KomachiSion
api接口：com.alibaba.nacos.console.controller.NamespaceController#getNamespace
在这个接口上可以接收任意参数，恶意注入风险还是存在的

KomachiSion added the kind/research label Jul 20, 2020

chuntaojun added the contribution welcome label Jul 20, 2020

J-Cod3r mentioned this issue Jul 20, 2020

[ISSUE #3382] Use PreparedStatement to replace string concatenation #3393

Merged

5 tasks

KomachiSion closed this as completed in #3393 Jul 21, 2020

KomachiSion added kind/enhancement Category issues or prs related to enhancement. and removed kind/research labels Jul 21, 2020

KomachiSion mentioned this issue Aug 4, 2020

Upgrade to 1.3.2 #3519

Merged

5 tasks

Provide feedback