Skip to content

Commit

Permalink
bugfix: 修复插件状态搜索存在 SQL 注入问题 (fixed #1556)
Browse files Browse the repository at this point in the history
  • Loading branch information
ZhuoZhuoCrayon authored and CohleRustW committed Jun 21, 2023
1 parent 50d3377 commit ae5d71e
Show file tree
Hide file tree
Showing 9 changed files with 50 additions and 40 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/codecov.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ name: CodeCov
on: [push, pull_request]
jobs:
run:
runs-on: ubuntu-latest
runs-on: ubuntu-20.04
env:
OS: ubuntu-latest
OS: ubuntu-20.04
PYTHON: "3.6"
DJANGO_SETTINGS_MODULE: "settings"
DEBUG: true
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/python-app.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ on: [push, pull_request]
jobs:
build:

runs-on: ubuntu-latest
runs-on: ubuntu-20.04

steps:
- uses: actions/checkout@v2
Expand Down
2 changes: 1 addition & 1 deletion app.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ introduction: 通过节点管理,可以对蓝鲸体系中的gse agent进行管
introduction_en: NodeMan can be used to manage the gse agent in the BlueKing system.
Its functions include agent installation, status query, version update, plugin management,
health check, process control, and so on.
version: 2.2.28
version: 2.2.32
category: 运维工具
language_support: 英语,中文
desktop:
Expand Down
46 changes: 22 additions & 24 deletions apps/node_man/handlers/host.py
Original file line number Diff line number Diff line change
Expand Up @@ -100,46 +100,44 @@ def _handle_plugin_conditions(params, plugin_names, select):
f"{ProcessStatus._meta.db_table}.is_latest=true",
]
wheres = []
# 使用参数化 SQL 语句,强制区分数据和命令,避免产生 SQL 注入漏洞
sql_params: List[str] = []
for condition in params["conditions"]:

if condition["key"] == "source_id":
placeholder = []
for cond in condition["value"]:
placeholder.append('"{}"'.format(cond))
wheres.append(f'{ProcessStatus._meta.db_table}.source_id in ({",".join(placeholder)})')
# 筛选值为空时,填充一定不存在的值,避免空列表生成的 in 语句不合法
values: List[str, int] = condition.get("value") or ["-1"]

if condition["key"] == "plugin_name":
placeholder = []
for cond in condition["value"]:
placeholder.append('"{}"'.format(cond))
wheres.append(f'{ProcessStatus._meta.db_table}.name in ({",".join(placeholder)})')
if condition["key"] in ["source_id", "plugin_name"]:
key: str = {"source_id": "source_id", "plugin_name": "name"}[condition["key"]]
sql_params.extend(values)
wheres.append(f'{ProcessStatus._meta.db_table}.{key} in ({",".join(["%s"] * len(values))})')

if condition["key"] in plugin_names:
# 插件版本的精确搜索
placeholder = []
for cond in condition["value"]:
if cond == -1:
for cond_val in values:
if cond_val == -1:
# 无版本插件筛选
placeholder.append('""')
sql_params.append("")
else:
placeholder.append('"{}"'.format(cond))
wheres.append(f'{ProcessStatus._meta.db_table}.version in ({",".join(placeholder)})')
sql_params.append(cond_val)
wheres.append(f'{ProcessStatus._meta.db_table}.version in ({",".join(["%s"] * len(values))})')
# condition["key"] 已做范围限制,是安全的
wheres.append(f'{ProcessStatus._meta.db_table}.name="{condition["key"]}"')

elif condition["key"] in [f"{plugin}_status" for plugin in plugin_names]:
# 插件状态的精确搜索
placeholder = []
for cond in condition["value"]:
placeholder.append('"{}"'.format(cond))
wheres.append(f'{ProcessStatus._meta.db_table}.status in ({",".join(placeholder)})')
wheres.append(f'{ProcessStatus._meta.db_table}.name="{"_".join(condition["key"].split("_")[:-1])}"')
sql_params.extend(values)
wheres.append(f'{ProcessStatus._meta.db_table}.status in ({",".join(["%s"] * len(values))})')
# plugin_name 已做范围限制,是安全的
plugin_name: str = "_".join(condition["key"].split("_")[:-1])
wheres.append(f'{ProcessStatus._meta.db_table}.name="{plugin_name}"')

if wheres:
wheres = init_wheres + wheres
bk_host_id_list = set(
Host.objects.extra(select=select, tables=[ProcessStatus._meta.db_table], where=wheres).values_list(
"bk_host_id", flat=True
)
Host.objects.extra(
select=select, tables=[ProcessStatus._meta.db_table], where=wheres, params=sql_params
).values_list("bk_host_id", flat=True)
)
# 对于有搜索条件但搜索结果为空的情况,填充一个无效的主机ID(-1),用于兼容multiple_cond_sql将空列表当成全选的逻辑
return bk_host_id_list or [-1]
Expand Down
6 changes: 6 additions & 0 deletions docs/release.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,11 @@
# Release

## 2.2.32 - 2023-06-13


### optimization:
* 修复插件状态搜索存在 SQL 注入问题 (fixed #1556)

## 2.2.27 - 2022-09-27


Expand Down
2 changes: 1 addition & 1 deletion release/V2.2.27_20220927.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@


### optimization:
* 国际化处理 (closed #1146)
* 国际化处理 (closed #1146)
6 changes: 6 additions & 0 deletions release/V2.2.32_20230613.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@

## 2.2.32 - 2023-06-13


### optimization:
* 修复插件状态搜索存在 SQL 注入问题 (fixed #1556)
14 changes: 7 additions & 7 deletions support-files/kubernetes/helm/bk-nodeman/Chart.lock
Original file line number Diff line number Diff line change
@@ -1,18 +1,18 @@
dependencies:
- name: common
repository: https://charts.bitnami.com/bitnami
version: 1.16.0
version: 1.17.1
- name: mysql
repository: https://charts.bitnami.com/bitnami
version: 8.8.27
version: 9.10.1
- name: redis
repository: https://charts.bitnami.com/bitnami
version: 16.5.4
version: 16.13.2
- name: rabbitmq
repository: https://charts.bitnami.com/bitnami
version: 8.30.1
version: 11.15.3
- name: nginx-ingress-controller
repository: https://charts.bitnami.com/bitnami
version: 9.1.12
digest: sha256:ed5d1bccd3c41a765697a425d281ee585080aa9cfdbe17e6e531281903d27365
generated: "2022-06-09T16:02:09.176183862+08:00"
version: 9.7.1
digest: sha256:d632ee95472efbf577b062477b4775c7b5f6a0cc8c2e4a3dc98ad39afd5f6221
generated: "2023-05-29T17:41:09.775909+08:00"
8 changes: 4 additions & 4 deletions support-files/kubernetes/helm/bk-nodeman/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -29,18 +29,18 @@ dependencies:
version: 1.x.x
repository: https://charts.bitnami.com/bitnami
- name: mysql
version: 8.8.27
version: 9.x.x
repository: https://charts.bitnami.com/bitnami
condition: mysql.enabled
- name: redis
version: 16.5.4
version: 16.x.x
repository: https://charts.bitnami.com/bitnami
condition: redis.enabled
- name: rabbitmq
version: 8.30.1
version: 11.x.x
repository: https://charts.bitnami.com/bitnami
condition: rabbitmq.enabled
- name: nginx-ingress-controller
version: 9.1.12
version: 9.x.x
repository: https://charts.bitnami.com/bitnami
condition: nginx-ingress-controller.enabled

0 comments on commit ae5d71e

Please sign in to comment.