Skip to content

[#4211] fix(catalog-jdbc): Harden database SQL generation against injection#11780

Draft
JandyTenedora wants to merge 3 commits into
apache:mainfrom
JandyTenedora:jandyt/fix-sql-injection-drop-database-validation
Draft

[#4211] fix(catalog-jdbc): Harden database SQL generation against injection#11780
JandyTenedora wants to merge 3 commits into
apache:mainfrom
JandyTenedora:jandyt/fix-sql-injection-drop-database-validation

Conversation

@JandyTenedora

@JandyTenedora JandyTenedora commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

What changes were proposed in this pull request?

Add validateBacktickQuotedIdentifier() in JdbcDatabaseOperations to reject database names containing SQL metacharacters before they are embedded in backtick-quoted DROP DATABASE statements. Applied to all JDBC catalog overrides that use backtick quoting (MySQL, OceanBase via parent, Doris, StarRocks, ClickHouse).

Why are the changes needed?

generateDropDatabaseSql builds SQL via string formatting with backtick quoting. A name containing backticks can break out of the identifier and inject arbitrary SQL. The upstream SchemaNormalizeDispatcher validates names today, but calling JdbcDatabaseOperations.delete() directly bypasses that validation.

Fix: #4211

Does this PR introduce any user-facing change?

No.

How was this patch tested?

Added unit tests for drop-path validation in TestJdbcDatabaseOperations, TestClickHouseDatabaseOperations, TestDorisDatabaseOperationsSqlGeneration, and TestStarRocksDatabaseOperationsSqlGeneration — covering valid names, null, empty, SQL injection strings, spaces, and overlength names.

./gradlew :catalogs:catalog-jdbc-common:test
./gradlew :catalogs:catalog-jdbc-doris:test
./gradlew :catalogs:catalog-jdbc-starrocks:test
./gradlew :catalogs-contrib:catalog-jdbc-clickhouse:test

@JandyTenedora JandyTenedora force-pushed the jandyt/fix-sql-injection-drop-database-validation branch 2 times, most recently from 00fb195 to 7f4edee Compare June 25, 2026 13:59
@JandyTenedora JandyTenedora changed the title Jandyt/fix sql injection drop database validation [#4211] fix(catalog-jdbc): Harden database SQL generation against injection Jun 25, 2026
@JandyTenedora JandyTenedora force-pushed the jandyt/fix-sql-injection-drop-database-validation branch 2 times, most recently from 2e05a2e to 1a47603 Compare June 25, 2026 17:34
@JandyTenedora

Copy link
Copy Markdown
Contributor Author
image image

Reran

  ./gradlew spotlessApply
  ./gradlew spotlessCheck

…ck-quoted drop SQL

Add validateBacktickQuotedIdentifier() in JdbcDatabaseOperations to reject
database names containing SQL metacharacters before they are embedded in
backtick-quoted DROP DATABASE statements. Applied to all JDBC catalog
overrides that use backtick quoting (MySQL, OceanBase, Doris, StarRocks,
ClickHouse).
@JandyTenedora JandyTenedora force-pushed the jandyt/fix-sql-injection-drop-database-validation branch from 07b4fba to e4daa5d Compare June 29, 2026 11:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Improvement] Possible SQL injection in MysqlDatabaseOperations.java

1 participant