Fix for ClickHouse sql injection by removing ability to have expression in table options #16261
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ebyhr
reviewed
Feb 24, 2023
plugin/trino-clickhouse/src/main/java/io/trino/plugin/clickhouse/ClickHouseClient.java
Outdated
Show resolved
Hide resolved
plugin/trino-clickhouse/src/main/java/io/trino/plugin/clickhouse/ClickHouseClient.java
Outdated
Show resolved
Hide resolved
| @@ -363,7 +369,7 @@ public void setTableProperties(ConnectorSession session, JdbcTableHandle handle, | |||
| .collect(toImmutableMap(Entry::getKey, entry -> entry.getValue().orElseThrow())); | |||
|
|
|||
| ImmutableList.Builder<String> tableOptions = ImmutableList.builder(); | |||
| ClickHouseTableProperties.getSampleBy(properties).ifPresent(value -> tableOptions.add("SAMPLE BY " + value)); | |||
| ClickHouseTableProperties.getSampleBy(properties).ifPresent(value -> tableOptions.add("SAMPLE BY " + doubleQuote(value))); | |||
There was a problem hiding this comment.
Is quoting only SAMPLE BY property sufficient? What about other properties?
There was a problem hiding this comment.
The same for all others.
vlad-lyutenko
force-pushed
the
vlad-lyutenko/clickhouse-sample-by-fix
branch
2 times, most recently
from
2adb465 to
8d1092f
Compare
ebyhr
reviewed
Feb 28, 2023
| @@ -28,7 +28,7 @@ | |||
| implements SessionPropertiesProvider | |||
| { | |||
| public static final String MAP_STRING_AS_VARCHAR = "map_string_as_varchar"; | |||
|
|
|||
| public static final String ALLOWED_EXPRESSION_IN_TABLE_OPTIONS = "allowed_expression_in_table_options"; | |||
There was a problem hiding this comment.
I don't think we want to allow end-users to enable this session property. Otherwise, even if the cluster administrator disabled this flag in the config property, users can enable it and cause SQL injection.
I lean toward removing support for expressions though it might be a regression for some users. I roughly guess there're less users who specify the expression in the SAMPLE BY in the connector. Also, security should win in this case. What do you think about it?
in table options like SAMPLE BY e.t.c
vlad-lyutenko
force-pushed
the
vlad-lyutenko/clickhouse-sample-by-fix
branch
from
8d1092f to
d20aeff
Compare
vlad-lyutenko
changed the title
ebyhr
reviewed
Feb 28, 2023
plugin/trino-clickhouse/src/main/java/io/trino/plugin/clickhouse/ClickHouseClient.java
Show resolved
Hide resolved
ebyhr
reviewed
Feb 28, 2023
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Fix for ClickHouse sql injection
by removing ability to have expression in table options
Additional context and related issues
Release notes
(x) Release notes are required, with the following suggested text: