Merge pull request #5068 from influxdata/fixes/escape-meta-queries

Escape injected meta query values
influxdata · Feb 9, 2019 · 0913f97 · 0913f97
2 parents 17f5ec3 + b38c231
commit 0913f97
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,9 +1,13 @@
-## v1.7.7 [2018-01-16]
+## v1.7.8 [2019-02-08]
+### Bug Fixes
+1. [#5068](https://github.com/influxdata/chronograf/pull/5068): Escape injected meta query values
+
+## v1.7.7 [2019-01-16]
 
 ### Bug Fixes
 1. [#5045](https://github.com/influxdata/chronograf/pull/5045): Use JWT in enterprise for authentication in flux
 
-## v1.7.6 [2018-01-14]
+## v1.7.6 [2019-01-14]
 
 ### Bug Fixes
 1. [#4895](https://github.com/influxdata/chronograf/pull/4895): Properly set scroll to row for table graph

diff --git a/ui/src/shared/apis/metaQuery.js b/ui/src/shared/apis/metaQuery.js
@@ -10,9 +10,14 @@ export const showDatabases = async source => {
 export const showRetentionPolicies = async (source, databases) => {
   let query
   if (Array.isArray(databases)) {
-    query = databases.map(db => `SHOW RETENTION POLICIES ON "${db}"`).join(';')
+    query = databases
+      .map(db => `SHOW RETENTION POLICIES ON "${_.escape(db)}"`)
+      .join(';')
   } else {
-    query = `SHOW RETENTION POLICIES ON "${databases}"`
+    const dbs = _.split(databases, ',')
+      .map(d => `${_.escape(d)}`)
+      .join(',')
+    query = `SHOW RETENTION POLICIES ON "${dbs}"`
   }
 
   return await proxy({source, query})
@@ -49,7 +54,7 @@ export const showTagKeys = async ({
   measurement,
 }) => {
   const rp = _.toString(retentionPolicy)
-  const query = `SHOW TAG KEYS FROM "${rp}"."${measurement}"`
+  const query = `SHOW TAG KEYS FROM "${rp}"."${_.escape(measurement)}"`
   return await proxy({source, db: database, rp: retentionPolicy, query})
 }
 
@@ -62,10 +67,12 @@ export const showTagValues = async ({
 }) => {
   const keys = tagKeys
     .sort()
-    .map(k => `"${k}"`)
+    .map(k => `"${_.escape(k)}"`)
     .join(', ')
   const rp = _.toString(retentionPolicy)
-  const query = `SHOW TAG VALUES FROM "${rp}"."${measurement}" WITH KEY IN (${keys})`
+  const query = `SHOW TAG VALUES FROM "${rp}"."${_.escape(
+    measurement
+  )}" WITH KEY IN (${keys})`
 
   return await proxy({source, db: database, rp: retentionPolicy, query})
 }
@@ -84,7 +91,9 @@ export function createRetentionPolicy({
   replicationFactor,
   clusterID,
 }) {
-  const statement = `CREATE RETENTION POLICY "${rpName}" ON "${database}" DURATION ${duration} REPLICATION ${replicationFactor}`
+  const statement = `CREATE RETENTION POLICY "${rpName}" ON "${_.escape(
+    database
+  )}" DURATION ${duration} REPLICATION ${replicationFactor}`
   const url = buildInfluxUrl({host, statement})
 
   return proxy(url, clusterID)