sql advisor sql 注入修复 (#2229)

* 1. bump version 1.10.0
2. 登录页面调整, oidc 和钉钉登录靠前
3. sql注入修复, sql advisor 部分.

* black

* fix test

* dbname is optional

* more tests

* black

archery/__init__.py

@@ -1,2 +1,2 @@
-version = (1, 9, 1)
+version = (1, 10, 0)
 display_version = ".".join(str(i) for i in version)

common/templates/login.html

@@ -18,8 +18,20 @@
 <body style="background-color:#edeff1;">
 <div class="row lsb-login">
     <div class="col-sm-4 mypanalbox">
+        <h3 class="text-center">用户登录
+        </h3>
         <form class="login-form fade-in-effect" id="login" method="post" role="form">
             {% csrf_token %}
+            {% if dingding_enabled %}
+                <div class="form-group">
+                    <a class="btn btn-primary btn-block" role="button" href="/dingding/authenticate/">以钉钉登录</a>
+                </div>
+            {% elif oidc_enabled %}
+                <div class="form-group">
+                    <a class="btn btn-primary btn-block" role="button" href="/oidc/authenticate/">以OIDC登录</a>
+                </div>
+            {% endif %}
+            <h4 class="text-center">传统登录</h4>
             <div class="form-group is-focused">
                 <label class="control-label" for="inputUsername">Username</label>
                 <input class="form-control ng-valid ng-dirty ng-touched" id="inputUsername" name="username" type="text"
@@ -38,15 +50,6 @@
                     <a href="#" data-toggle="modal" data-target="#sign-up">注册用户</a>
                 </div>
             {% endif %}
-            {% if dingding_enabled %}
-                <div class="form-group">
-                    <a href="/dingding/authenticate/">以钉钉登录</a>
-                </div>
-            {% elif oidc_enabled %}
-                <div class="form-group">
-                    <a href="/oidc/authenticate/">以OIDC登录</a>
-                </div>
-            {% endif %}
         </form>
     </div>
 </div>

requirements.txt

@@ -1,18 +1,18 @@
 Django==4.1.9
-mysqlclient==2.0.3
+mysqlclient==2.*
 requests==2.31.0
 simplejson==3.17.2
 mybatis_mapper2sql==0.1.9
 django-auth-ldap==4.1.0
 python-dateutil==2.8.1
 pymongo==3.11.0
-psycopg2-binary==2.8.6
+psycopg2-binary==2.*
 pymysql==0.9.3
 mysql-replication==0.22
 django-q==1.3.9
 django-redis==5.2.0
 redis==3.5.3
-pyodbc==4.0.30
+pyodbc==4.*
 gunicorn==20.0.4
 pyecharts==1.9.1
 aliyun-python-sdk-rds==2.1.1
@@ -26,7 +26,7 @@ sshtunnel==0.1.5
 pycryptodome==3.10.1
 pyodps==0.*
 pandas==1.5.*
-clickhouse-driver==0.2.3
+clickhouse-driver==0.*
 djangorestframework==3.13.1
 djangorestframework-simplejwt==5.2.0
 django-filter==21.1

sql/engines/goinception.py

@@ -3,6 +3,7 @@
 import re
 import traceback
 import MySQLdb
+import pymysql
 import simplejson as json
 
 from common.config import SysConfig
@@ -65,7 +66,7 @@ def get_backup_connection():
 
     def escape_string(self, value: str) -> str:
         """字符串参数转义"""
-        return MySQLdb.escape_string(value).decode("utf-8")
+        return pymysql.escape_string(value)
 
     def execute_check(self, instance=None, db_name=None, sql=""):
         """inception check"""

sql/engines/mysql.py

@@ -2,6 +2,7 @@
 import logging
 import traceback
 import MySQLdb
+import pymysql
 import re
 
 import schemaobject
@@ -100,7 +101,7 @@ def info(self):
 
     def escape_string(self, value: str) -> str:
         """字符串参数转义"""
-        return MySQLdb.escape_string(value).decode("utf-8")
+        return pymysql.escape_string(value)
 
     @property
     def auto_backup(self):

sql/plugins/sqladvisor.py

@@ -7,6 +7,8 @@
 """
 __author__ = "hhyo"
 
+import re
+
 from common.config import SysConfig
 from sql.plugins.plugin import Plugin
 
@@ -17,3 +19,26 @@ def __init__(self):
         self.required_args = ["q"]
         self.disable_args = []
         super(Plugin, self).__init__()
+
+    def check_args(self, args):
+        result = super().check_args(args)
+        if result["status"] != 0:
+            return result
+        db_name = args.get("d")
+        if not db_name:
+            return result
+        # 防止 db_name 注入
+        db_pattern = r"[a-zA-Z0-9-_]+"
+        if not re.match(db_pattern, db_name):
+            return {
+                "status": 1,
+                "msg": f"illegal db_name, only {db_pattern} is allowed",
+                "data": {},
+            }
+        if db_name.startswith("-"):
+            return {
+                "status": 1,
+                "msg": f"illegal db_name, leading character - is not allowed",
+                "data": {},
+            }
+        return result

sql/tests.py

@@ -1733,6 +1733,26 @@ def test_sqladvisor(self, _subprocess):
         )
         self.assertEqual(json.loads(r.content)["status"], 0)
 
+        # test db_name
+        r = self.client.post(
+            path="/slowquery/optimize_sqladvisor/",
+            data={
+                "sql_content": "select 1;",
+                "instance_name": "test_instance",
+                "db_name": "--help",
+            },
+        )
+        self.assertEqual(json.loads(r.content)["status"], 1)
+        r = self.client.post(
+            path="/slowquery/optimize_sqladvisor/",
+            data={
+                "sql_content": "select 1;",
+                "instance_name": "test_instance",
+                "db_name": ";drop table",
+            },
+        )
+        self.assertEqual(json.loads(r.content)["status"], 1)
+
     @patch("sql.plugins.plugin.subprocess")
     def test_soar(self, _subprocess):
         """

src/init_sql/v1.9.2.sql → src/init_sql/v1.10.0.sql

@@ -8,3 +8,5 @@ prepare stmt from @drop_sql;
 execute stmt;
 drop prepare stmt;
 alter table instance_account add unique index uidx_instanceid_user_host_dbname(`instance_id`, `user`, `host`, `db_name`);
+--- 增加 ssl 支持
+ALTER TABLE sql_instance ADD is_ssl tinyint(1) DEFAULT 0  COMMENT '是否启用SSL';