This is an automated email from the ASF dual-hosted git repository.
pdallig pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zeppelin.git
The following commit(s) were added to refs/heads/master by this push:
new 579074ea25 [ZEPPELIN-3725] Fix SQL injection (#4676)
579074ea25 is described below
commit 579074ea25b045fa913c946e4a6c102bd9875b75
Author: Khanh Vu <vtkh...@users.noreply.github.com>
AuthorDate: Wed Nov 1 15:22:42 2023 +0000
[ZEPPELIN-3725] Fix SQL injection (#4676)
Co-authored-by: Khanh <v...@amazon.com>
---
.../java/org/apache/zeppelin/service/ShiroAuthenticationService.java | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git
a/zeppelin-server/src/main/java/org/apache/zeppelin/service/ShiroAuthenticationService.java
b/zeppelin-server/src/main/java/org/apache/zeppelin/service/ShiroAuthenticationService.java
index 0ef95c0031..ff79dc1ed6 100644
---
a/zeppelin-server/src/main/java/org/apache/zeppelin/service/ShiroAuthenticationService.java
+++
b/zeppelin-server/src/main/java/org/apache/zeppelin/service/ShiroAuthenticationService.java
@@ -434,7 +434,7 @@ public class ShiroAuthenticationService implements
AuthenticationService {
return userlist;
}
- userquery = String.format("SELECT %s FROM %s", username, tablename);
+ userquery = "SELECT ? FROM ?";
} catch (IllegalAccessException e) {
LOGGER.error("Error while accessing dataSource for JDBC Realm", e);
return new ArrayList<>();
@@ -443,6 +443,8 @@ public class ShiroAuthenticationService implements
AuthenticationService {
try {
con = dataSource.getConnection();
ps = con.prepareStatement(userquery);
+ ps.setString(1, username);
+ ps.setString(2, tablename);
rs = ps.executeQuery();
while (rs.next()) {
userlist.add(rs.getString(1).trim());
