fix: database query built from user-controlled sources

[odaysec]

/kind bug
/kind feature

The safest approach is to only allow table names that match a trusted, known set of pod names, or at minimum validate that the input conforms precisely to the naming rules of expected tables (e.g., by a regular expression matching only valid table names consisting of alphanumeric characters and underscores, starting with a letter, and of reasonable length). This should be done before inserting the value as an identifier into the SQL string.

To implement this in the current file (cmd/metrics-scraper/app/routes/metrics/handlerqueries.go), we need to:

• Add a validation function (e.g., isValidTableName) to check that sanitizedPodName matches a safe pattern (like ^[a-zA-Z_][a-zA-Z0-9_]{0,63}$).
• Refuse to run the query and return an error to the client if the table name fails validation.
• Import the regexp package for pattern matching.
• Apply this validation in queryMetricNames before using the table name.

[gemini-code-assist]

Summary of Changes

Hello @odaysec, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical security vulnerability by implementing stringent input validation for database table names that are constructed from user-controlled input. By introducing a regular expression-based validation function, the changes ensure that only safely formatted table names are used in SQL queries, thereby preventing SQL injection attacks and significantly enhancing the application's security posture.

Highlights

• Security Fix: Implemented input validation for database table names to prevent potential SQL injection vulnerabilities arising from user-controlled sources.
• New Validation Function: Introduced a new isValidTableName function that uses a regular expression to ensure table names conform to a safe and expected identifier pattern.
• Robust Error Handling: Added error handling within queryMetricNames to return a 400 Bad Request response if an invalid table name is detected during validation.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[karmada-bot]

Welcome @odaysec! It looks like this is your first PR to karmada-io/dashboard 🎉

[gemini-code-assist]

Code Review

This pull request aims to fix a SQL injection vulnerability by validating user-provided table names. The introduction of isValidTableName and its use in queryMetricNames is a good step in the right direction. However, the implementation has a couple of issues that need addressing.

First, the regular expression in isValidTableName is compiled on every function call, which is inefficient. I've left a specific comment with a suggestion to compile it once at the package level for better performance.

More critically, the fix is incomplete. The function queryMetricDetailsByName in the same file also constructs SQL queries from the user-provided sanitizedPodName but does not use the new validation function. This leaves a significant SQL injection vulnerability open. Furthermore, the use of ? as placeholders for table names in queryMetricDetailsByName is incorrect and will likely cause runtime errors. Table names cannot be parameterized this way and must be safely interpolated into the query string after thorough validation.

To fully address the vulnerability, it is crucial to apply isValidTableName validation within queryMetricDetailsByName and correct the SQL query construction there.

[gemini-code-assist]

regexp.MustCompile is a relatively expensive operation. Compiling the regular expression on every call to isValidTableName is inefficient. It's a best practice in Go to compile regular expressions once at the package level (e.g., in a var block at the top of the file) and reuse the compiled object. This will improve performance significantly if the function is called frequently.

For example:

var (
	validTableName = regexp.MustCompile(`^[a-zA-Z_][a-zA-Z0-9_]{0,63}$`)
)

// ... in isValidTableName ...
return validTableName.MatchString(name)

[RainbowMango]

It makes sense. @odaysec what do you think?

[warjiang]

+1

[RainbowMango]

It makes sense. @odaysec what do you think?

[RainbowMango]

Right, this is a typical SQL injection issue, like an attacker could exploit this by providing a malicious table name (e.g., podName; DROP TABLE users; --), which could result in data deletion...

[RainbowMango]

@odaysec Thank you for doing this. Just out of curiosity, how do you find this? Are you evaluating the security of this project or something?

[RainbowMango]

cc @warjiang

[warjiang]

@odaysec thanks for your kindly remind for the potential security problems, the changes in the PR would make the metrics-scraper safer then before, but I think maybe we can migrate from raw sql query to orm framework like gorm、ent etc. any ideas?
Btw, there is no doubt that your contribution still make sense ~

[karmada-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: poratoes
Once this PR has been reviewed and has the lgtm label, please assign warjiang for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment