Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: implement whitelist #119

Merged
merged 1 commit into from
Oct 30, 2024
Merged

feat: implement whitelist #119

merged 1 commit into from
Oct 30, 2024

Conversation

catalyst17
Copy link
Contributor

@catalyst17 catalyst17 commented Oct 29, 2024
edited
Loading

TL;DR

Implemented query validation to enhance security and prevent potential SQL injection attacks.

What changed?

  • Added a ValidateQuery function in utils.go to check for disallowed patterns and ensure only allowed functions are used in queries.
  • Integrated query validation in the ClickHouseConnector methods for executing queries.
  • Updated error handling in logs_handlers.go and transactions_handlers.go to potentially use BadRequestError for disallowed functions.

How to test?

  1. Try running queries with allowed functions (e.g., sum, count, reinterpretAsUInt256) and ensure they work as expected.
  2. Attempt to use disallowed patterns or functions in queries and verify that they are rejected with appropriate error messages.
  3. Test different types of queries (SELECT, INSERT, UPDATE, etc.) to confirm that only SELECT queries are allowed.

Why make this change?

This change enhances the security of the application by preventing potential SQL injection attacks and restricting the use of potentially harmful functions or query patterns. It ensures that only safe, pre-approved functions can be used in queries, reducing the risk of unauthorized data access or manipulation.

@linear Linear
Copy link

linear bot commented Oct 29, 2024

BLOCK-302 Allowed CH functions to be whitelisted to avoid SQL injection

@catalyst17 Graphite App
Copy link
Contributor Author

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @catalyst17 and the rest of your teammates on Graphite Graphite

@catalyst17 catalyst17 requested a review from iuwqyir October 29, 2024 19:12
@catalyst17 catalyst17 marked this pull request as ready for review October 29, 2024 19:13
@catalyst17 catalyst17 force-pushed the arsenii/block-302/allow-specific-functions-only branch from bbd940f to 9cb0aac Compare October 29, 2024 19:13
iuwqyir
iuwqyir reviewed Oct 29, 2024
View reviewed changes
Copy link
Collaborator

@iuwqyir iuwqyir left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there any performance impact on this? Can we instead use permissioned db users?

@catalyst17 catalyst17 merged commit 32f151a into main Oct 30, 2024
5 checks passed
@catalyst17 catalyst17 deleted the arsenii/block-302/allow-specific-functions-only branch October 30, 2024 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@iuwqyir iuwqyir iuwqyir approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@catalyst17 @iuwqyir