Skip to content

[Cherry-pick to branch-1.3] [#11839] fix(clickhouse): escape single quotes in database and table name SQL to prevent injection (#11840)#11895

Open
github-actions[bot] wants to merge 1 commit into
branch-1.3from
cherry-pick-c2fc58bf-to-branch-1.3
Open

[Cherry-pick to branch-1.3] [#11839] fix(clickhouse): escape single quotes in database and table name SQL to prevent injection (#11840)#11895
github-actions[bot] wants to merge 1 commit into
branch-1.3from
cherry-pick-c2fc58bf-to-branch-1.3

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown

Cherry-pick Information:

  • Original commit: c2fc58b
  • Target branch: branch-1.3
  • Status: ✅ Clean cherry-pick (no conflicts)

…name SQL to prevent injection (#11840)

### What changes were proposed in this pull request?

- Override `generateDatabaseExistSql` in `ClickHouseDatabaseOperations`
to query `system.databases` with proper single-quote escaping via
`escapeSingleQuotes`. The inherited default targets
`information_schema.SCHEMATA` which ClickHouse does not support.
- Escape `databaseName` and `tableName` in
`ClickHouseTableOperations.getIndexes()` before interpolating into
`QUERY_INDEXES_SQL`.
- Add unit tests for `generateDatabaseExistSql` covering normal names
and names containing single quotes.

### Why are the changes needed?

Both code paths interpolate user-provided names into SQL string literals
without escaping single quotes, creating SQL injection vulnerabilities.
ClickHouse's JDBC driver does not support `PreparedStatement`
parameterization for `system`-table queries, so string escaping
(single-quote doubling) is the correct and only viable mitigation. The
fix reuses the existing `ClickHouseClusterUtils.escapeSingleQuotes()`
utility already used by `generateCreateDatabaseSql`,
`generateAlterTableSql`, and other methods in the same module.

Fix: #11839

### Does this PR introduce _any_ user-facing change?

No.

### How was this patch tested?

- `./gradlew :catalogs-contrib:catalog-jdbc-clickhouse:spotlessApply` —
passes
- `./gradlew :catalogs-contrib:catalog-jdbc-clickhouse:build` — passes
- `./gradlew :catalogs-contrib:catalog-jdbc-clickhouse:test` — all tests
pass, including new tests:

- `testGenerateDatabaseExistSqlNormalName` — verifies normal name
produces correct SQL
- `testGenerateDatabaseExistSqlSingleQuoteEscaped` — verifies `test'db`
→ `test''db`
@github-actions github-actions Bot requested a review from jerryshao July 3, 2026 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant