Fix SQL injection vulnerability in cluster_name_override parameter#7830
Open
fix-it-felix-sentry[bot] wants to merge 1 commit intomasterfrom
Open
Fix SQL injection vulnerability in cluster_name_override parameter#7830fix-it-felix-sentry[bot] wants to merge 1 commit intomasterfrom
fix-it-felix-sentry[bot] wants to merge 1 commit intomasterfrom
Conversation
Validates cluster_name_override to only allow alphanumeric characters,
underscores, and hyphens, preventing SQL injection attacks through
malicious cluster names.
The cluster_name_override parameter is passed directly from user input
via the Flask API endpoint /run_copy_table_query and was previously used
without validation in SQL queries, creating a critical SQL injection
vulnerability at:
- Line 62: f"{db_table} ON CLUSTER '{cluster_name}'"
- Line 91: f"FROM clusterAllReplicas('{cluster_name}', system.tables)"
This fix adds strict input validation using a regex pattern to reject
any cluster names containing special characters that could be used for
SQL injection attacks.
Also added comprehensive test coverage to verify that malicious input
is properly rejected.
Fixes: https://linear.app/getsentry/issue/VULN-1340
Fixes: https://linear.app/getsentry/issue/PF-75
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| if not re.match(r"^[a-zA-Z0-9_-]+$", cluster_name_override): | ||
| raise ValueError( | ||
| "Invalid cluster name: only alphanumeric characters, underscores, and hyphens are allowed" | ||
| ) |
There was a problem hiding this comment.
ValueError caught with misleading "Target host is invalid" message
Medium Severity
The new ValueError raised for invalid cluster names gets caught by the existing except ValueError handler in views.py line 489, which formats the response as "Target host is invalid: {err.args[0]}". Users attempting an invalid cluster name will see the confusing message "Target host is invalid: Invalid cluster name: only alphanumeric characters…" — misattributing the error to the target host instead of the cluster name.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes a critical SQL injection vulnerability in the
cluster_name_overrideparameter used by the/run_copy_table_queryendpoint.Issue
The
cluster_name_overrideparameter was being passed directly from user input without validation and used in SQL queries, creating a SQL injection vulnerability at:copy_tables.py:f"{db_table} ON CLUSTER '{cluster_name}'"copy_tables.py:f"FROM clusterAllReplicas('{cluster_name}', system.tables)"Solution
Added strict input validation to only allow alphanumeric characters, underscores, and hyphens in cluster names. This prevents SQL injection attacks while still allowing legitimate cluster naming conventions.
Changes
cluster_name_overrideparameterValueErrorif invalid characters are detectedTesting
test_copy_tables_cluster_name_override_sql_injection_prevention()References
Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com