hhyo · hhyo · Jan 8, 2022 · Jan 5, 2022 · Jan 5, 2022 · Jan 6, 2022
diff --git a/sql/binlog.py b/sql/binlog.py
@@ -4,6 +4,7 @@
 import os
 import time
 import traceback
+import shlex
 
 import simplejson as json
 from django.conf import settings
@@ -112,7 +113,8 @@ def binlog2sql(request):
     # 提交给binlog2sql进行解析
     binlog2sql = Binlog2Sql()
     # 准备参数
-    args = {"conn_options": fr"-h{instance.host} -u{instance.user} -p'{instance.password}' -P{instance.port} ",
+    args = {"conn_options": fr"-h{shlex.quote(str(instance.host))} -u{shlex.quote(str(instance.user))} \
+                -p'{shlex.quote(str(instance.password))}' -P{shlex.quote(str(instance.port))} ",
             "stop_never": False,
             "no-primary-key": no_pk,
             "flashback": flashback,
@@ -190,7 +192,8 @@ def binlog2sql_file(args, user):
     """
     binlog2sql = Binlog2Sql()
     instance = args.get('instance')
-    conn_options = fr"-h{instance.host} -u{instance.user} -p'{instance.password}' -P{instance.port}"
+    conn_options = fr"-h{shlex.quote(str(instance.host))} -u{shlex.quote(str(instance.user))} \
+                -p'{shlex.quote(str(instance.password))}' -P{shlex.quote(str(instance.port))} ",
     args['conn_options'] = conn_options
     timestamp = int(time.time())
     path = os.path.join(settings.BASE_DIR, 'downloads/binlog2sql/')

diff --git a/sql/instance.py b/sql/instance.py
@@ -201,15 +201,15 @@ def schemasync(request):
         "sync-comments": sync_comments,
         "tag": tag,
         "output-directory": output_directory,
-        "source": r"mysql://{user}:'{pwd}'@{host}:{port}/{database}".format(user=instance_info.user,
-                                                                            pwd=instance_info.password,
-                                                                            host=instance_info.host,
-                                                                            port=instance_info.port,
+        "source": r"mysql://{user}:'{pwd}'@{host}:{port}/{database}".format(user=shlex.quote(str(instance_info.user)),
+                                                                            pwd=shlex.quote(str(instance_info.password)),
+                                                                            host=shlex.quote(str(instance_info.host)),
+                                                                            port=shlex.quote(str(instance_info.port)),
                                                                             database=db_name),
-        "target": r"mysql://{user}:'{pwd}'@{host}:{port}/{database}".format(user=target_instance_info.user,
-                                                                            pwd=target_instance_info.password,
-                                                                            host=target_instance_info.host,
-                                                                            port=target_instance_info.port,
+        "target": r"mysql://{user}:'{pwd}'@{host}:{port}/{database}".format(user=shlex.quote(str(target_instance_info.user)),
+                                                                            pwd=shlex.quote(str(target_instance_info.password)),
+                                                                            host=shlex.quote(str(target_instance_info.host)),
+                                                                            port=shlex.quote(str(target_instance_info.port)),
                                                                             database=target_db_name)
     }
     # 参数检查

diff --git a/sql/plugins/binglog2sql.py b/sql/plugins/binglog2sql.py
@@ -33,7 +33,7 @@ def generate_args2cmd(self, args, shell):
                          'start-datetime', 'stop-datetime']
         filter_options = ['databases', 'tables', 'only-dml', 'sql-type']
         if shell:
-            cmd_args = f'python {self.path}' if self.path else ''
+            cmd_args = f'python {shlex.quote(str(self.path))}' if self.path else ''
             for name, value in args.items():
                 if name in conn_options:
                     cmd_args += f' {value}'

diff --git a/sql/plugins/soar.py b/sql/plugins/soar.py
@@ -28,7 +28,7 @@ def generate_args2cmd(self, args, shell):
         :return:
         """
         if shell:
-            cmd_args = self.path if self.path else ''
+            cmd_args = shlex.quote(str(self.path)) if self.path else ''
             for name, value in args.items():
                 cmd_args += f" -{name}={shlex.quote(str(value))}"
         else:

diff --git a/sql/plugins/sqladvisor.py b/sql/plugins/sqladvisor.py
@@ -27,7 +27,7 @@ def generate_args2cmd(self, args, shell):
         :return:
         """
         if shell:
-            cmd_args = self.path if self.path else ''
+            cmd_args = shlex.quote(str(self.path)) if self.path else ''
             for name, value in args.items():
                 cmd_args += f" -{name} {shlex.quote(str(value))}"
         else: