clickhouse escape strings

Author: lomik

find/handler.go

@@ -3,7 +3,6 @@ package find
 import (
 	"fmt"
 	"net/http"
-	"strings"
 
 	"github.com/lomik/graphite-clickhouse/config"
 	"github.com/lomik/graphite-clickhouse/helper/clickhouse"
@@ -22,11 +21,6 @@ func NewHandler(config *config.Config) *Handler {
 func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	query := r.URL.Query().Get("query")
 
-	if strings.IndexByte(query, '\'') > -1 { // sql injection dumb fix
-		http.Error(w, "Bad request", http.StatusBadRequest)
-		return
-	}
-
 	var prefix string
 	var err error
 

find/where.go

@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"regexp"
 	"strings"
+
+	"github.com/lomik/graphite-clickhouse/helper/clickhouse"
 )
 
 func HasWildcard(target string) bool {
@@ -31,15 +33,15 @@ func MakeWhere(target string, withLevel bool) (where string) {
 
 	// simple metric
 	if !HasWildcard(target) {
-		AND(fmt.Sprintf("Path = '%s'", target))
+		AND(fmt.Sprintf("Path = '%s'", clickhouse.Escape(target)))
 		return
 	}
 
 	// before any wildcard symbol
 	simplePrefix := target[:strings.IndexAny(target, "[]{}*")]
 
 	if len(simplePrefix) > 0 {
-		AND(fmt.Sprintf("Path LIKE '%s%%'", simplePrefix))
+		AND(fmt.Sprintf("Path LIKE '%s%%'", clickhouse.Escape(simplePrefix)))
 	}
 
 	// prefix search like "metric.name.xx*"
@@ -48,7 +50,7 @@ func MakeWhere(target string, withLevel bool) (where string) {
 	}
 
 	pattern := GlobToRegexp(target)
-	AND(fmt.Sprintf("match(Path, '%s')", pattern))
+	AND(fmt.Sprintf("match(Path, '%s')", clickhouse.Escape(pattern)))
 
 	return
 }

helper/clickhouse/clickhouse.go

@@ -23,6 +23,12 @@ func formatSQL(q string) string {
 	return strings.Join(s, " ")
 }
 
+func Escape(s string) string {
+	s = strings.Replace(s, `\`, `\\`, -1)
+	s = strings.Replace(s, `'`, `\'`, -1)
+	return s
+}
+
 func Query(ctx context.Context, dsn string, query string, timeout time.Duration) (body []byte, err error) {
 	start := time.Now()
 

render/handler.go

@@ -7,7 +7,6 @@ import (
 	"net/http"
 	"sort"
 	"strconv"
-	"strings"
 	"time"
 
 	"github.com/gogo/protobuf/proto"
@@ -36,11 +35,6 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	logger := log.FromContext(r.Context())
 	target := r.URL.Query().Get("target")
 
-	if strings.IndexByte(target, '\'') > -1 { // sql injection dumb fix
-		http.Error(w, "Bad request", http.StatusBadRequest)
-		return
-	}
-
 	var prefix string
 	var err error
 
@@ -94,11 +88,11 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 		listBuf := bytes.NewBuffer(nil)
 		first := true
-		for _, p := range strings.Split(string(treeData), "\n") {
-			if p == "" {
+		for _, p := range bytes.Split(treeData, []byte{'\n'}) {
+			if len(p) == 0 {
 				continue
 			}
-			step := h.config.Rollup.Step(p, int32(fromTimestamp))
+			step := h.config.Rollup.Step(unsafeString(p), int32(fromTimestamp))
 			if step > maxStep {
 				maxStep = step
 			}
@@ -108,7 +102,7 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 			}
 			first = false
 
-			listBuf.WriteString("'" + p + "'") // SQL-Injection
+			listBuf.WriteString("'" + clickhouse.Escape(unsafeString(p)) + "'")
 		}
 
 		if listBuf.Len() == 0 {
@@ -127,11 +121,11 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		// )
 		// pathWhere = makeWhere(target, false)
 	} else {
-		pathWhere = fmt.Sprintf("Path = '%s'", target)
+		pathWhere = fmt.Sprintf("Path = '%s'", clickhouse.Escape(target))
 		maxStep = h.config.Rollup.Step(target, int32(fromTimestamp))
 	}
 
-	until := untilTimestamp - untilTimestamp % int64(maxStep) + int64(maxStep) - 1
+	until := untilTimestamp - untilTimestamp%int64(maxStep) + int64(maxStep) - 1
 	dateWhere := fmt.Sprintf(
 		"(Date >='%s' AND Date <= '%s' AND Time >= %d AND Time <= %d)",
 		time.Unix(fromTimestamp, 0).Format("2006-01-02"),