Skip to content

Commit c687c25

Browse files
timvaillancourttimvaillancourt
authored
[release-23.0] Potential fix for code scanning alert no. 3944: Database query built … (#18963)
Signed-off-by: Tim Vaillancourt <[email protected]>
1 parent a2a182f commit c687c25

File tree

1 file changed

+5
-2
lines changed

1 file changed

+5
-2
lines changed

go/vt/vtadmin/api.go

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2657,11 +2657,14 @@ func (api *API) VExplain(ctx context.Context, req *vtadminpb.VExplainRequest) (*
26572657
return nil, err
26582658
}
26592659

2660-
if _, ok := stmt.(*sqlparser.VExplainStmt); !ok {
2660+
vexplainStmt, ok := stmt.(*sqlparser.VExplainStmt)
2661+
if !ok {
26612662
return nil, vterrors.VT09017("Invalid VExplain statement")
26622663
}
26632664

2664-
response, err := c.DB.VExplain(ctx, req.GetSql(), stmt.(*sqlparser.VExplainStmt))
2665+
// Canonicalize the SQL using the AST, to prevent use of raw user input.
2666+
canonicalQuery := sqlparser.String(vexplainStmt)
2667+
response, err := c.DB.VExplain(ctx, canonicalQuery, vexplainStmt)
26652668

26662669
if err != nil {
26672670
return nil, err

0 commit comments

Comments
 (0)