SUBMARINE-1361. Fix Submarine SQL injection vulnerability

### What is this PR for? Currently a SQL injection vulnerability has been checked in submarine and the relevant part of the `like` statement in mybatis needs to be fixed. ### What type of PR is it? Bug Fix ### Todos * [x] - replace `like` statement to `concat('%', #{param}, '%')` ### What is the Jira issue? https://issues.apache.org/jira/browse/SUBMARINE-1361 ### How should this be tested? Added a test case verification code in `submarine-server/server-database/src/test/java/org/apache/submarine/server/database/workbench/database/service/SysUserServiceTest.java` ### Screenshots (if appropriate) NA ### Questions: * Do the license files need updating? No * Are there breaking changes for older versions? No * Does this need new documentation? No Author: cdmikechen <cdmikechen@apache.org> Signed-off-by: cdmikechen <cdmikechen@apache.org> Closes #1037 from cdmikechen/SUBMARINE-1361 and squashes the following commits: 34fb34b [cdmikechen] Avoid sql injection
apache · Jan 16, 2023 · 4cd2af1 · 4cd2af1
1 parent 58cf1d5
commit 4cd2af1
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 8 deletions.
diff --git a/...erver-database/src/main/resources/org/apache/submarine/database/mappers/SysDeptMapper.xml b/...erver-database/src/main/resources/org/apache/submarine/database/mappers/SysDeptMapper.xml
@@ -42,8 +42,8 @@
     SELECT a.*, b.dept_name AS parent_name
     FROM sys_department a LEFT JOIN sys_department b ON a.parent_code=b.dept_code
     WHERE 1=1
-    <if test="deptCode!=null and deptCode!=''"> AND a.`dept_code` like '%${deptCode}%' </if>
-    <if test="deptName!=null and deptName!=''"> AND a.`dept_name` like '%${deptName}%' </if>
+    <if test="deptCode!=null and deptCode!=''"> AND a.`dept_code` like concat('%', #{deptCode}, '%')</if>
+    <if test="deptName!=null and deptName!=''"> AND a.`dept_name` like concat('%', #{deptName}, '%')</if>
     ORDER BY a.sort_order
   </select>
 

diff --git a/...r-database/src/main/resources/org/apache/submarine/database/mappers/SysDictItemMapper.xml b/...r-database/src/main/resources/org/apache/submarine/database/mappers/SysDictItemMapper.xml
@@ -31,8 +31,8 @@
   <select id="selectAll" resultMap="resultMap">
     SELECT * FROM sys_dict_item WHERE 1 = 1
     <if test="dictCode!=null and dictCode!=''"> AND `dict_code` = #{dictCode}</if>
-    <if test="itemCode!=null and itemCode!=''"> AND `item_code` like '%${itemCode}%'</if>
-    <if test="itemName!=null and itemName!=''"> AND `item_name` like '%${itemName}%'</if>
+    <if test="itemCode!=null and itemCode!=''"> AND `item_code` like concat('%', #{itemCode}, '%')</if>
+    <if test="itemName!=null and itemName!=''"> AND `item_name` like concat('%', #{itemName}, '%')</if>
     ORDER BY sort_order
   </select>
   <resultMap id="resultMap" type="org.apache.submarine.server.database.workbench.entity.SysDictItemEntity" extends="BaseEntityResultMap">

diff --git a/...erver-database/src/main/resources/org/apache/submarine/database/mappers/SysDictMapper.xml b/...erver-database/src/main/resources/org/apache/submarine/database/mappers/SysDictMapper.xml
@@ -31,8 +31,8 @@
   <select id="selectAll" parameterType="java.util.Map" resultMap="resultMap">
     SELECT * FROM sys_dict
     WHERE 1=1
-    <if test="dictCode!=null and dictCode!=''">AND `dict_code` like '%${dictCode}%'</if>
-    <if test="dictName!=null and dictName!=''">AND `dict_name` like '%${dictName}%'</if>
+    <if test="dictCode!=null and dictCode!=''">AND `dict_code` like concat('%', #{dictCode}, '%')</if>
+    <if test="dictName!=null and dictName!=''">AND `dict_name` like concat('%', #{dictName}, '%')</if>
     ORDER BY id
   </select>
   <resultMap id="resultMap" type="org.apache.submarine.server.database.workbench.entity.SysDictEntity" extends="BaseEntityResultMap">

diff --git a/...erver-database/src/main/resources/org/apache/submarine/database/mappers/SysUserMapper.xml b/...erver-database/src/main/resources/org/apache/submarine/database/mappers/SysUserMapper.xml
@@ -39,8 +39,8 @@
     SELECT a.*, b.dept_name FROM sys_user a LEFT JOIN sys_department b ON a.dept_code = b.dept_code
     WHERE 1 = 1
     <if test="deptCode!=null and deptCode!=''"> AND a.`dept_code` = #{deptCode}</if>
-    <if test="userName!=null and userName!=''"> AND a.`user_name` like '%${userName}%'</if>
-    <if test="email!=null and email!=''"> AND a.`email` like '%${email}%'</if>
+    <if test="userName!=null and userName!=''"> AND a.`user_name` like concat('%', #{userName}, '%')</if>
+    <if test="email!=null and email!=''"> AND a.`email` like concat('%', #{email}, '%')</if>
     ORDER BY a.create_time
   </select>
 

diff --git a/...a/org/apache/submarine/server/database/workbench/database/service/SysUserServiceTest.java b/...a/org/apache/submarine/server/database/workbench/database/service/SysUserServiceTest.java
@@ -78,6 +78,19 @@ public void addUserTest() throws Exception {
             10);
     LOG.debug("userList.size():{}", userList.size());
     assertEquals(userList.size(), 1);
+
+    // Avoid sql injection.
+    // Issue: https://issues.apache.org/jira/browse/SUBMARINE-1361
+    List<SysUserEntity> sqlInjectTestList = userService.queryPageList(
+            String.format("%s' or 1=1 or 1='", sysUser.getUserName()),
+            null,
+            null,
+            null,
+            null,
+            0,
+            10);
+    assertEquals("SQL Injection Vulnerability Detected!", sqlInjectTestList.size(), 0);
+
     SysUserEntity user = userList.get(0);
 
     assertEquals(sysUser.getEmail(), user.getEmail());