Skip to content
This repository has been archived by the owner on Aug 2, 2022. It is now read-only.

Log of new engine SQL rest action has broken format and exposes raw query #817

Closed
chloe-zh opened this issue Nov 11, 2020 · 1 comment
Closed

Log of new engine SQL rest action has broken format and exposes raw query #817

chloe-zh opened this issue Nov 11, 2020 · 1 comment
Assignees
@dai-chen
Labels
security Issues for security concern SQL

Comments

@chloe-zh
Copy link
Member

Issues:

  1. Log format has invalid new lines ("\n"), see following example
  2. Raw SQL queries are exposed in log

Example:
sql query:

POST _opendistro/_sql
{
  "query" : """
        SELECT a.f, a.l, a.a
        FROM (
          SELECT firstname AS f, lastname AS l, age AS a
          FROM bank
          WHERE age > 30
        ) AS a
        """
}

log:

[2020-11-11T13:06:30,530][INFO ][c.a.o.s.l.p.RestSqlAction] [a483e711985a.ant.amazon.com] [20a5b64a-bce9-4d4c-a661-9be055eb3fdc] Request SQLQueryRequest(jsonContent={"query":"\n        SELECT a.f, a.l, a.a\n        FROM (\n          SELECT firstname AS f, lastname AS l, age AS a\n          FROM bank\n          WHERE age > 30\n        ) AS a\n        "}, query=
        SELECT a.f, a.l, a.a
        FROM (
          SELECT firstname AS f, lastname AS l, age AS a
          FROM bank
          WHERE age > 30
        ) AS a
        , path=/_opendistro/_sql, format=jdbc) is handled by new SQL query engine
@chloe-zh chloe-zh added security Issues for security concern SQL labels Nov 11, 2020
@dai-chen dai-chen self-assigned this Nov 13, 2020
@dai-chen
Copy link
Member

Will fix this. Thanks!

@dai-chen dai-chen mentioned this issue Dec 10, 2020
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dai-chen dai-chen

Labels
security Issues for security concern SQL
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chloe-zh @dai-chen