GitHub-Proxy/signoz
1
0
Fork 0
mirror of https://git.mirrors.martin98.com/https://github.com/SigNoz/signoz synced 2025-08-11 04:49:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: db/logger security bugs (#558)

Browse Source
This commit is contained in:
Vishal Sharma 2021-12-24 11:40:39 +05:30 committed by GitHub
parent 6f8b78bd97
commit 55feec34ea
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/query-service/app/clickhouseReader/reader.go
View File

@ -1545,9 +1545,9 @@ func (r *ClickHouseReader) GetTags(ctx context.Context, serviceName string) (*[]
tagItems := []model.TagItem{}
query := fmt.Sprintf(`SELECT DISTINCT arrayJoin(tagsKeys) as tagKeys FROM %s WHERE serviceName='%s' AND toDate(timestamp) > now() - INTERVAL 1 DAY`, r.indexTable, serviceName)
query := fmt.Sprintf(`SELECT DISTINCT arrayJoin(tagsKeys) as tagKeys FROM %s WHERE serviceName=? AND toDate(timestamp) > now() - INTERVAL 1 DAY`, r.indexTable)
err := r.db.Select(&tagItems, query)
err := r.db.Select(&tagItems, query, serviceName)
zap.S().Info(query)
@ -1563,9 +1563,9 @@ func (r *ClickHouseReader) GetOperations(ctx context.Context, serviceName string
operations := []string{}
query := fmt.Sprintf(`SELECT DISTINCT(name) FROM %s WHERE serviceName='%s' AND toDate(timestamp) > now() - INTERVAL 1 DAY`, r.indexTable, serviceName)
query := fmt.Sprintf(`SELECT DISTINCT(name) FROM %s WHERE serviceName=? AND toDate(timestamp) > now() - INTERVAL 1 DAY`, r.indexTable)
err := r.db.Select(&operations, query)
err := r.db.Select(&operations, query, serviceName)
zap.S().Info(query)
@ -1580,9 +1580,9 @@ func (r *ClickHouseReader) SearchTraces(ctx context.Context, traceId string) (*[
var searchScanReponses []model.SearchSpanReponseItem
query := fmt.Sprintf("SELECT timestamp, spanID, traceID, serviceName, name, kind, durationNano, tagsKeys, tagsValues, references FROM %s WHERE traceID='%s'", r.indexTable, traceId)
query := fmt.Sprintf("SELECT timestamp, spanID, traceID, serviceName, name, kind, durationNano, tagsKeys, tagsValues, references FROM %s WHERE traceID=?", r.indexTable)
err := r.db.Select(&searchScanReponses, query)
err := r.db.Select(&searchScanReponses, query, traceId)
zap.S().Info(query)

13
pkg/query-service/app/parser.go
View File

@ -7,6 +7,7 @@ import (
"math"
"net/http"
"strconv"
"strings"
"time"
promModel "github.com/prometheus/common/model"
@ -359,12 +360,18 @@ func parseSearchSpanAggregatesRequest(r *http.Request) (*model.SpanSearchAggrega
operationName := r.URL.Query().Get("operation")
if len(operationName) != 0 {
params.OperationName = operationName
// Escaping new line chars to avoid CWE-117
operationName = strings.Replace(operationName, "\n", "", -1)
operationName = strings.Replace(operationName, "\r", "", -1)
zap.S().Debug("Operation Name: ", operationName)
}
kind := r.URL.Query().Get("kind")
if len(kind) != 0 {
params.Kind = kind
// Escaping new line chars to avoid CWE-117
kind = strings.Replace(kind, "\n", "", -1)
kind = strings.Replace(kind, "\r", "", -1)
zap.S().Debug("Kind: ", kind)
}
@ -418,12 +425,18 @@ func parseSpanSearchRequest(r *http.Request) (*model.SpanSearchParams, error) {
operationName := r.URL.Query().Get("operation")
if len(operationName) != 0 {
params.OperationName = operationName
// Escaping new line chars to avoid CWE-117
operationName = strings.Replace(operationName, "\n", "", -1)
operationName = strings.Replace(operationName, "\r", "", -1)
zap.S().Debug("Operation Name: ", operationName)
}
kind := r.URL.Query().Get("kind")
if len(kind) != 0 {
params.Kind = kind
// Escaping new line chars to avoid CWE-117
kind = strings.Replace(kind, "\n", "", -1)
kind = strings.Replace(kind, "\r", "", -1)
zap.S().Debug("Kind: ", kind)
}