Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug][dao] potential horizontal unauthorized access #3573

Closed
vanilla111 opened this issue Aug 22, 2020 · 1 comment
Closed

[Bug][dao] potential horizontal unauthorized access #3573

vanilla111 opened this issue Aug 22, 2020 · 1 comment
Assignees
@lenboo
Labels
bug Something isn't working
Milestone
1.3.3-release

Comments

@vanilla111
Copy link
Contributor

Description

In the file dolphinscheduler-dao/src/main/resources/org/apache/dolphinscheduler/dao/mapper/ProcessInstanceMapper.xml, there is a method called queryLastRunningProcess, the SQL statement in it on line 12 may cause horizontal unauthorized access.

If the caller does not notice this problem, and it provides a startTime or endTime which is null, then it is possible for him to query other user process instances.

1. <select id="queryLastRunningProcess" resultType="org.apache.dolphinscheduler.dao.entity.ProcessInstance">
2.     select *
3.     from t_ds_process_instance
4.     where 1=1
5.     <if test="states !=null and states.length != 0">
6.         and state in
7.         <foreach collection="states" item="i" index="index" open="(" separator="," close=")">
8.             #{i}
9.         </foreach>
10.    </if>
11.    <if test="startTime!=null and endTime != null ">
12.        and process_definition_id=#{processDefinitionId}
13.        and (schedule_time <![CDATA[ >= ]]> #{startTime} and schedule_time <![CDATA[ <= ]]> #{endTime}
14.              or start_time <![CDATA[ >= ]]> #{startTime} and start_time <![CDATA[ <= ]]> #{endTime})
15.    </if>
16.    order by start_time desc limit 1
17.</select>
@vanilla111 vanilla111 added the bug Something isn't working label Aug 22, 2020
@xingchun-chen
Copy link
Contributor

@lenboo move out "and process_definition_id=#{processDefinitionId}"

@xingchun-chen xingchun-chen added this to the 1.3.3-release milestone Sep 3, 2020
lenboo pushed a commit to lenboo/dolphinscheduler that referenced this issue Oct 10, 2020
fix bug[apache#3573] potential horizontal unauthorized access
b048c99
@lenboo lenboo mentioned this issue Oct 10, 2020
Merged
lenboo pushed a commit to lenboo/dolphinscheduler that referenced this issue Oct 10, 2020
fix bug[apache#3573] potential horizontal unauthorized access
b9eba4e
lgcareer pushed a commit that referenced this issue Oct 12, 2020
@lenboo
[FIX-3573][DAO] potential horizontal unauthorized access (#3880)
9de7d3c 
* fix bug[#3573] potential horizontal unauthorized access

* fix bug[#3573] potential horizontal unauthorized access

Co-authored-by: baoliang <baoliang@analysys.com.cn>
@lenboo lenboo closed this as completed Oct 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lenboo lenboo

Labels
bug Something isn't working
Projects
None yet
Milestone
1.3.3-release
Development

No branches or pull requests
3 participants
@vanilla111 @lenboo @xingchun-chen