Simplify how SQL injection is detected when using query.comment-format#19413
Conversation
dominikzalewski
changed the title
dominikzalewski
force-pushed
the
format_based_remote_query_modifier_whitespace
branch
5 times, most recently
from
8f0f063 to
94c7967
Compare
dominikzalewski
changed the title
dominikzalewski
force-pushed
the
format_based_remote_query_modifier_whitespace
branch
from
94c7967 to
2691b47
Compare
There was a problem hiding this comment.
This is copied and modified SessionInterpolatedValues since the original object is also used in BigQuery
There was a problem hiding this comment.
it's ok to limit the scope by not fixing for BigQuery but same problem still exists in connectors who use SessionInterpolatedValues.
There was a problem hiding this comment.
Will create a follow-up ticket then and put it in the backlog
There was a problem hiding this comment.
I think you can simply remove io.trino.plugin.base.logging.SessionInterpolatedValues.SanitizedValuesProvider from SessionInterpolatedValues. I think the case in BigQuery is safe to be changed. There is no way to inject SQL as it is used only to set the label.
hashhar
left a comment
hashhar
left a comment
There was a problem hiding this comment.
LGTM.
Note that non-JDBC connectors will still fail though.
...ino-base-jdbc/src/main/java/io/trino/plugin/jdbc/logging/FormatBasedRemoteQueryModifier.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
it's ok to limit the scope by not fixing for BigQuery but same problem still exists in connectors who use SessionInterpolatedValues.
dominikzalewski
force-pushed
the
format_based_remote_query_modifier_whitespace
branch
2 times, most recently
from
fc143ed to
3a49a2e
Compare
IIRC the case of BigQuery is way different. It does not use comment, but there is a dedicated field where put audit information. In such case there is no way for SQL Injection |
|
Then instead of calling this new class Thanks for checking @kokosing , yes it uses a dedicated |
dominikzalewski
force-pushed
the
format_based_remote_query_modifier_whitespace
branch
from
3a49a2e to
37aee7d
Compare
Instead of failing the query in case a character NOT in the allowlist is detected, now we search for occurence of the closing comment '*/' and only then fail the query.
dominikzalewski
force-pushed
the
format_based_remote_query_modifier_whitespace
branch
from
37aee7d to
dc52ca6
Compare
dominikzalewski
deleted the
format_based_remote_query_modifier_whitespace
branch
3 participants
Description
Instead of failing the query in case a character NOT in the allowlist is detected, now we search for occurence of the closing comment '*/' and only then fail the query.
Release notes
(X) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
( ) Release notes are required, with the following suggested text: