SUBMARINE-1361. Fix Submarine SQL injection vulnerability

apache / submarine

Submarine is Cloud Native Machine Learning Platform.

Apache License 2.0

691 stars 254 forks source link

What is this PR for?

Currently a SQL injection vulnerability has been checked in submarine and the relevant part of the like statement in mybatis needs to be fixed.

What type of PR is it?

Bug Fix

Todos

[x] - replace like statement to concat('%', #{param}, '%')

What is the Jira issue?

https://issues.apache.org/jira/browse/SUBMARINE-1361

How should this be tested?

Added a test case verification code in submarine-server/server-database/src/test/java/org/apache/submarine/server/database/workbench/database/service/SysUserServiceTest.java

Screenshots (if appropriate)

Questions:

Do the license files need updating? No
Are there breaking changes for older versions? No
Does this need new documentation? No

Codecov Report

Merging #1037 (34fb34b) into master (6d18d55) will not change coverage. The diff coverage is n/a.

@@ Coverage Diff @@ ## master #1037 +/- ## ======================================= Coverage 75.98% 75.98% ======================================= Files 119 119 Lines 5000 5000 ======================================= Hits 3799 3799 Misses 1201 1201

Flag	Coverage Δ
python-integration	`59.72% <ø> (ø)`
python-unit	`52.48% <ø> (ø)`

Flag

Coverage Δ

python-integration

59.72% <ø> (ø)

python-unit

52.48% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

:mega: We’re building smart automated test selection to slash your CI/CD build times. Learn more

apache / submarine