|
|
@ -543,14 +543,9 @@ func (s *Service) handleQuery(w http.ResponseWriter, r *http.Request) {
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Validate queries, unless disabled.
|
|
|
|
// Validate queries, unless disabled.
|
|
|
|
if !s.NoVerifySelect {
|
|
|
|
if !s.NoVerifySelect && !queriesValid(queries) {
|
|
|
|
for _, q := range queries {
|
|
|
|
w.WriteHeader(http.StatusForbidden)
|
|
|
|
u := strings.ToUpper(strings.TrimSpace(q))
|
|
|
|
return
|
|
|
|
if !strings.HasPrefix(u, "SELECT ") {
|
|
|
|
|
|
|
|
w.WriteHeader(http.StatusForbidden)
|
|
|
|
|
|
|
|
return
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
results, err := s.store.Query(queries, timings, isTx, lvl)
|
|
|
|
results, err := s.store.Query(queries, timings, isTx, lvl)
|
|
|
@ -602,6 +597,17 @@ func (s *Service) CheckRequestPerm(r *http.Request, perm string) bool {
|
|
|
|
return s.credentialStore.HasPerm(username, PermAll) || s.credentialStore.HasPerm(username, perm)
|
|
|
|
return s.credentialStore.HasPerm(username, PermAll) || s.credentialStore.HasPerm(username, perm)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// queriesValid returns whether the slice of queries is valid.
|
|
|
|
|
|
|
|
func queriesValid(queries []string) bool {
|
|
|
|
|
|
|
|
for _, q := range queries {
|
|
|
|
|
|
|
|
u := strings.ToUpper(strings.TrimSpace(q))
|
|
|
|
|
|
|
|
if !strings.HasPrefix(u, "SELECT ") {
|
|
|
|
|
|
|
|
return false
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
return true
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// serveExpvar serves registered expvar information over HTTP.
|
|
|
|
// serveExpvar serves registered expvar information over HTTP.
|
|
|
|
func serveExpvar(w http.ResponseWriter, r *http.Request) {
|
|
|
|
func serveExpvar(w http.ResponseWriter, r *http.Request) {
|
|
|
|
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
|
|
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
|
|