Fix sql injection vulnerability

Note that the dimension list cannot have any whitespace after the comma. Change-Id: I6b5d4d572630252c393ff92b2b3cac5a8c21b56b
2014-11-07 10:04:25 -07:00 · 2014-11-07 10:04:25 -07:00 · cbedd43002
commit cbedd43002
parent d9890aee46
3 changed files with 16 additions and 4 deletions
--- a/monasca/common/repositories/mysql/alarm_definitions_repository.py
+++ b/monasca/common/repositories/mysql/alarm_definitions_repository.py
@ -102,17 +102,20 @@ class AlarmDefinitionsRepository(
                            on sad.alarm_definition_id = ad.id """

                i = 0
+                inner_join_parms = []
                for n, v in dimensions.iteritems():
                    inner_join += """
                        inner join
                            (select distinct sub_alarm_definition_id
                             from sub_alarm_definition_dimension
-                              where dimension_name='{}' and value='{}') as sadd{}
+                              where dimension_name = ? and value = ?) as sadd{}
                        on sadd{}.sub_alarm_definition_id = sad.id
-                        """.format(n.encode('utf8'), v.encode('utf8'), i, i)
+                        """.format(i, i)
+                    inner_join_parms += [n.encode('utf8'), v.encode('utf8')]
                    i += 1

                select_clause += inner_join
+                parms = inner_join_parms + parms

            query = select_clause + where_clause
            cnxn, cursor = self._get_cnxn_cursor_tuple()
--- a/monasca/expression_parser/alarm_expr_parser.py
+++ b/monasca/expression_parser/alarm_expr_parser.py
@ -230,8 +230,10 @@ logical_op = (AND | OR)("logical_op")
 times = CaselessLiteral("times")

 dimension = Group(dimension_name + EQUAL + dimension_value)
+
+# Cannot have any whitespace after the comma delimiter.
 dimension_list = Group(Optional(
-    LBRACE + delimitedList(dimension, delim=",", combine=True)(
+    LBRACE + delimitedList(dimension, delim=',', combine=True)(
        "dimensions_list") + RBRACE))

 metric = metric_name + dimension_list("dimensions")
--- a/monasca/v2/reference/alarm_definitions.py
+++ b/monasca/v2/reference/alarm_definitions.py
@ -165,11 +165,18 @@ class AlarmDefinitions(AlarmDefinitionsV2API):

            result = []
            for alarm_definition_row in alarm_definition_rows:
+
+                # match_by can be null
+                if alarm_definition_row.match_by:
+                    match_by = alarm_definition_row.match_by.decode('utf8').split(',')
+                else:
+                    match_by = []
+
                ad = {u'id': alarm_definition_row.id.decode('utf8'),
                      u'name': alarm_definition_row.name.decode("utf8"),
                      u'description': alarm_definition_row.description.decode('utf8'),
                      u'expression': alarm_definition_row.expression.decode('utf8'),
-                      u'match_by': alarm_definition_row.match_by.decode('utf8').split(','),
+                      u'match_by': match_by,
                      u'severity': alarm_definition_row.severity.decode('utf8'),
                      u'actions_enabled': alarm_definition_row.actions_enabled == 1,
                      u'alarm_actions': alarm_definition_row.alarm_actions.decode('utf8').split(','),