thevar1able/ClickHouse
1
0
Fork 0
mirror of https://github.com/ClickHouse/ClickHouse.git synced 2024-11-20 06:32:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Forbid paths in timezone names

Browse Source
This commit is contained in:
avogar 2022-12-14 13:42:10 +00:00
parent a4525bb98f
commit 5895fcc21d
3 changed files with 27 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/DataTypes/TimezoneMixin.h
View File

@ -2,6 +2,14 @@
#include <Core/Types.h>
#include <Common/DateLUT.h>
namespace DB
{
namespace ErrorCodes
{
extern const int BAD_ARGUMENTS;
}
}
class DateLUTImpl;
/** Mixin-class that manages timezone info for timezone-aware DateTime implementations
@ -15,7 +23,7 @@ public:
explicit TimezoneMixin(const String & time_zone_name = "")
: has_explicit_time_zone(!time_zone_name.empty())
, time_zone(DateLUT::instance(time_zone_name))
, time_zone(DateLUT::instance(checkTimezoneName(time_zone_name)))
, utc_time_zone(DateLUT::instance("UTC"))
{
}
@ -29,4 +37,17 @@ protected:
const DateLUTImpl & time_zone;
const DateLUTImpl & utc_time_zone;
private:
static const String & checkTimezoneName(const String & timezone_name)
{
const char * forbidden_patterns[] = {"/", "../", "./", "~/"};
for (const auto & pattern : forbidden_patterns)
{
if (timezone_name.starts_with(pattern))
throw DB::Exception(DB::ErrorCodes::BAD_ARGUMENTS, "Timezone name cannot start with '{}'", pattern);
}
return timezone_name;
}
};

0
tests/queries/0_stateless/02505_forbid_paths_in_datetime_timezone.reference Normal file
View File

5
tests/queries/0_stateless/02505_forbid_paths_in_datetime_timezone.sql Normal file
View File

@ -0,0 +1,5 @@
select toDateTime(0, '/abc'); -- { serverError BAD_ARGUMENTS }
select toDateTime(0, './abc'); -- { serverError BAD_ARGUMENTS }
select toDateTime(0, '../abc'); -- { serverError BAD_ARGUMENTS }
select toDateTime(0, '~/abc'); -- { serverError BAD_ARGUMENTS }