SUBMARINE-1361. Fix Submarine SQL injection vulnerability

submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDeptMapper.xml

@@ -42,8 +42,8 @@
     SELECT a.*, b.dept_name AS parent_name
     FROM sys_department a LEFT JOIN sys_department b ON a.parent_code=b.dept_code
     WHERE 1=1
-    <if test="deptCode!=null and deptCode!=''"> AND a.`dept_code` like '%${deptCode}%' </if>
-    <if test="deptName!=null and deptName!=''"> AND a.`dept_name` like '%${deptName}%' </if>
+    <if test="deptCode!=null and deptCode!=''"> AND a.`dept_code` like concat('%', #{deptCode}, '%')</if>
+    <if test="deptName!=null and deptName!=''"> AND a.`dept_name` like concat('%', #{deptName}, '%')</if>
     ORDER BY a.sort_order
   </select>
 

submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictItemMapper.xml

@@ -31,8 +31,8 @@
   <select id="selectAll" resultMap="resultMap">
     SELECT * FROM sys_dict_item WHERE 1 = 1
     <if test="dictCode!=null and dictCode!=''"> AND `dict_code` = #{dictCode}</if>
-    <if test="itemCode!=null and itemCode!=''"> AND `item_code` like '%${itemCode}%'</if>
-    <if test="itemName!=null and itemName!=''"> AND `item_name` like '%${itemName}%'</if>
+    <if test="itemCode!=null and itemCode!=''"> AND `item_code` like concat('%', #{itemCode}, '%')</if>
+    <if test="itemName!=null and itemName!=''"> AND `item_name` like concat('%', #{itemName}, '%')</if>
     ORDER BY sort_order
   </select>
   <resultMap id="resultMap" type="org.apache.submarine.server.database.workbench.entity.SysDictItemEntity" extends="BaseEntityResultMap">

submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysDictMapper.xml

@@ -31,8 +31,8 @@
   <select id="selectAll" parameterType="java.util.Map" resultMap="resultMap">
     SELECT * FROM sys_dict
     WHERE 1=1
-    <if test="dictCode!=null and dictCode!=''">AND `dict_code` like '%${dictCode}%'</if>
-    <if test="dictName!=null and dictName!=''">AND `dict_name` like '%${dictName}%'</if>
+    <if test="dictCode!=null and dictCode!=''">AND `dict_code` like concat('%', #{dictCode}, '%')</if>
+    <if test="dictName!=null and dictName!=''">AND `dict_name` like concat('%', #{dictName}, '%')</if>
     ORDER BY id
   </select>
   <resultMap id="resultMap" type="org.apache.submarine.server.database.workbench.entity.SysDictEntity" extends="BaseEntityResultMap">

submarine-server/server-database/src/main/resources/org/apache/submarine/database/mappers/SysUserMapper.xml

@@ -39,8 +39,8 @@
     SELECT a.*, b.dept_name FROM sys_user a LEFT JOIN sys_department b ON a.dept_code = b.dept_code
     WHERE 1 = 1
     <if test="deptCode!=null and deptCode!=''"> AND a.`dept_code` = #{deptCode}</if>
-    <if test="userName!=null and userName!=''"> AND a.`user_name` like '%${userName}%'</if>
-    <if test="email!=null and email!=''"> AND a.`email` like '%${email}%'</if>
+    <if test="userName!=null and userName!=''"> AND a.`user_name` like concat('%', #{userName}, '%')</if>
+    <if test="email!=null and email!=''"> AND a.`email` like concat('%', #{email}, '%')</if>
     ORDER BY a.create_time
   </select>
 

submarine-server/server-database/src/test/java/org/apache/submarine/server/database/workbench/database/service/SysUserServiceTest.java

@@ -78,6 +78,19 @@ public void addUserTest() throws Exception {
             10);
     LOG.debug("userList.size():{}", userList.size());
     assertEquals(userList.size(), 1);
+
+    // Avoid sql injection.
+    // Issue: https://issues.apache.org/jira/browse/SUBMARINE-1361
+    List<SysUserEntity> sqlInjectTestList = userService.queryPageList(
+            String.format("%s' or 1=1 or 1='", sysUser.getUserName()),
+            null,
+            null,
+            null,
+            null,
+            0,
+            10);
+    assertEquals("SQL Injection Vulnerability Detected!", sqlInjectTestList.size(), 0);
+
     SysUserEntity user = userList.get(0);
 
     assertEquals(sysUser.getEmail(), user.getEmail());