fix: db/logger security bugs (#558)

2025-08-15 00:16:07 +08:00 · 2021-12-24 11:40:39 +05:30 · 2021-12-24 11:40:39 +05:30 · 55feec34ea
commit 55feec34ea
parent 6f8b78bd97
2 changed files with 19 additions and 6 deletions
--- a/pkg/query-service/app/clickhouseReader/reader.go
+++ b/pkg/query-service/app/clickhouseReader/reader.go
@ -1545,9 +1545,9 @@ func (r *ClickHouseReader) GetTags(ctx context.Context, serviceName string) (*[]
 	tagItems := []model.TagItem{}
-	query := fmt.Sprintf(`SELECT DISTINCT arrayJoin(tagsKeys) as tagKeys FROM %s WHERE serviceName='%s'  AND toDate(timestamp) > now() - INTERVAL 1 DAY`, r.indexTable, serviceName)
+	query := fmt.Sprintf(`SELECT DISTINCT arrayJoin(tagsKeys) as tagKeys FROM %s WHERE serviceName=?  AND toDate(timestamp) > now() - INTERVAL 1 DAY`, r.indexTable)
-	err := r.db.Select(&tagItems, query)
+	err := r.db.Select(&tagItems, query, serviceName)
 	zap.S().Info(query)
@ -1563,9 +1563,9 @@ func (r *ClickHouseReader) GetOperations(ctx context.Context, serviceName string
 	operations := []string{}
-	query := fmt.Sprintf(`SELECT DISTINCT(name) FROM %s WHERE serviceName='%s'  AND toDate(timestamp) > now() - INTERVAL 1 DAY`, r.indexTable, serviceName)
+	query := fmt.Sprintf(`SELECT DISTINCT(name) FROM %s WHERE serviceName=?  AND toDate(timestamp) > now() - INTERVAL 1 DAY`, r.indexTable)
-	err := r.db.Select(&operations, query)
+	err := r.db.Select(&operations, query, serviceName)
 	zap.S().Info(query)
@ -1580,9 +1580,9 @@ func (r *ClickHouseReader) SearchTraces(ctx context.Context, traceId string) (*[
 	var searchScanReponses []model.SearchSpanReponseItem
-	query := fmt.Sprintf("SELECT timestamp, spanID, traceID, serviceName, name, kind, durationNano, tagsKeys, tagsValues, references FROM %s WHERE traceID='%s'", r.indexTable, traceId)
+	query := fmt.Sprintf("SELECT timestamp, spanID, traceID, serviceName, name, kind, durationNano, tagsKeys, tagsValues, references FROM %s WHERE traceID=?", r.indexTable)
-	err := r.db.Select(&searchScanReponses, query)
+	err := r.db.Select(&searchScanReponses, query, traceId)
 	zap.S().Info(query)
--- a/pkg/query-service/app/parser.go
+++ b/pkg/query-service/app/parser.go
@ -7,6 +7,7 @@ import (
 	"math"
 	"net/http"
 	"strconv"
 	"strings"
 	"time"
 	promModel "github.com/prometheus/common/model"
@ -359,12 +360,18 @@ func parseSearchSpanAggregatesRequest(r *http.Request) (*model.SpanSearchAggrega
 	operationName := r.URL.Query().Get("operation")
 	if len(operationName) != 0 {
 		params.OperationName = operationName
 		// Escaping new line chars to avoid CWE-117
 		operationName = strings.Replace(operationName, "\n", "", -1)
 		operationName = strings.Replace(operationName, "\r", "", -1)
 		zap.S().Debug("Operation Name: ", operationName)
 	}
 	kind := r.URL.Query().Get("kind")
 	if len(kind) != 0 {
 		params.Kind = kind
 		// Escaping new line chars to avoid CWE-117
 		kind = strings.Replace(kind, "\n", "", -1)
 		kind = strings.Replace(kind, "\r", "", -1)
 		zap.S().Debug("Kind: ", kind)
 	}
@ -418,12 +425,18 @@ func parseSpanSearchRequest(r *http.Request) (*model.SpanSearchParams, error) {
 	operationName := r.URL.Query().Get("operation")
 	if len(operationName) != 0 {
 		params.OperationName = operationName
 		// Escaping new line chars to avoid CWE-117
 		operationName = strings.Replace(operationName, "\n", "", -1)
 		operationName = strings.Replace(operationName, "\r", "", -1)
 		zap.S().Debug("Operation Name: ", operationName)
 	}
 	kind := r.URL.Query().Get("kind")
 	if len(kind) != 0 {
 		params.Kind = kind
 		// Escaping new line chars to avoid CWE-117
 		kind = strings.Replace(kind, "\n", "", -1)
 		kind = strings.Replace(kind, "\r", "", -1)
 		zap.S().Debug("Kind: ", kind)
 	}