Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(security): prevent SQL injection in chart data query (CVE-2024-10901) #2269

Merged
merged 2 commits into from
Jan 6, 2025
Merged

fix(security): prevent SQL injection in chart data query (CVE-2024-10901) #2269

merged 2 commits into from
Jan 6, 2025

Conversation

haawha
Copy link
Contributor

@haawha haawha commented Jan 2, 2025

Description

This PR fixes a SQL injection vulnerability in the chart data query API that could allow attackers to perform arbitrary file operations through DuckDB SQL queries. This is related to CVE-2024-10835 and implements similar protections in the chart functionality.

Key changes:

  • Added SQL validation for chart queries
  • Implemented dangerous operation filtering
  • Added timeout protection
  • Enhanced input validation
  • Improved type safety in data processing

How Has This Been Tested?

  1. Functional Testing:
  • All supported chart types
  • Various data types and volumes
  • Complex SQL queries
  • Timeout scenarios
  1. Security Testing:
  • SQL injection attempts
  • File operation attempts
  • System command execution attempts
  • Various bypass attempts

Snapshots:

Include snapshots for easier review.

Checklist:

  • Code follows project style guidelines
  • Commits are properly formatted
  • Self-review completed
  • Security review completed
  • Tests added and passing
  • Documentation updated

@haawha
fix(security): prevent SQL injection in chart data query (CVE-2024-10…
5dad1bc 
…901)

- Add SQL validation for chart queries
- Block dangerous DuckDB operations
- Implement timeout protection
- Enhance input validation and type safety
@github-actions github-actions bot added the fix Bug fixes label Jan 2, 2025
@haawha haawha mentioned this pull request Jan 6, 2025
Merged
8 tasks
@Aries-ckt
Copy link
Collaborator

Thanks for your contribution.

Aries-ckt
Aries-ckt previously approved these changes Jan 6, 2025
View reviewed changes
Copy link
Collaborator

@Aries-ckt Aries-ckt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@fangyinc
Copy link
Collaborator

fangyinc commented Jan 6, 2025

Hi @haawha , please format codes by make fmt

@haawha
Copy link
Contributor Author

haawha commented Jan 6, 2025

Hi @haawha , please format codes by make fmt

Ths! It's done!

Aries-ckt
Aries-ckt approved these changes Jan 6, 2025
View reviewed changes
Copy link
Collaborator

@Aries-ckt Aries-ckt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

fangyinc
fangyinc approved these changes Jan 6, 2025
View reviewed changes
Copy link
Collaborator

@fangyinc fangyinc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM~

@fangyinc fangyinc merged commit 295cdb8 into eosphoros-ai:main Jan 6, 2025
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fangyinc fangyinc fangyinc approved these changes

@Aries-ckt Aries-ckt Aries-ckt approved these changes

Assignees
No one assigned
Labels
fix Bug fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@haawha @Aries-ckt @fangyinc