[ZEPPELIN-3725] Fix SQL injection

apache · Oct 15, 2023 · 2a908bd · 2a908bd
1 parent b9cb004
commit 2a908bd
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/service/ShiroAuthenticationService.java b/zeppelin-server/src/main/java/org/apache/zeppelin/service/ShiroAuthenticationService.java
@@ -434,7 +434,7 @@ private List<String> getUserList(JdbcRealm obj) {
         return userlist;
       }
 
-      userquery = String.format("SELECT %s FROM %s", username, tablename);
+      userquery = String.format("SELECT ? FROM ?", username, tablename);
     } catch (IllegalAccessException e) {
       LOGGER.error("Error while accessing dataSource for JDBC Realm", e);
       return new ArrayList<>();
@@ -443,6 +443,8 @@ private List<String> getUserList(JdbcRealm obj) {
     try {
       con = dataSource.getConnection();
       ps = con.prepareStatement(userquery);
+      ps.setString(1, username);
+      ps.setString(2, tablename);
       rs = ps.executeQuery();
       while (rs.next()) {
         userlist.add(rs.getString(1).trim());