From 227a0a4058cf707ee1497ea02f7bb306e37bf4cf Mon Sep 17 00:00:00 2001
From: peng2285 <jiangpeng01@ncti-gba.cn>
Date: Fri, 6 Jan 2023 15:25:09 +0800
Subject: [PATCH] fix CVE-2022-4860

---
 CVE-2022-4860.patch | 54 +++++++++++++++++++++++++++++++++++++++++++++
 metrics.spec        |  7 +++++-
 2 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-4860.patch

diff --git a/CVE-2022-4860.patch b/CVE-2022-4860.patch
new file mode 100644
index 0000000..c15f676
--- /dev/null
+++ b/CVE-2022-4860.patch
@@ -0,0 +1,54 @@
+From 959dfb6b05991e30b0fa972a1ecdcaae8e1dae6d Mon Sep 17 00:00:00 2001
+From: Jason Baumohl <jkbaumohl@lbl.gov>
+Date: Wed, 25 May 2022 00:46:08 +0000
+Subject: [PATCH] fixed sql update to avoid sql injection
+
+---
+ .../methods_upload_user_stats.py              | 30 +++----------------
+ 1 file changed, 4 insertions(+), 26 deletions(-)
+
+diff --git a/source/daily_cron_jobs/methods_upload_user_stats.py b/source/daily_cron_jobs/methods_upload_user_stats.py
+index 0e15ee5..4abbeb9 100644
+--- a/source/daily_cron_jobs/methods_upload_user_stats.py
++++ b/source/daily_cron_jobs/methods_upload_user_stats.py
+@@ -610,36 +610,14 @@ def upload_user_data(user_stats_dict):
+     print("Number of users updated:" + str(users_info_updated_count))
+ 
+     dev_tokens_users = get_dev_token_users_from_mongo()
+-    #print("dev_tokens_users: " + str(dev_tokens_users))
+-
+-    ####################
+-    # TRIED DO UPDATE WITH PASSED LIST NONE OF THIS WORKED
+-    # HAD To build up the entire string
+-    #    update_new_dev_tokens_statement = (
+-    #        "update user_info set dev_token_first_seen = now() "
+-    #        "where dev_token_first_seen is null and "
+-    #        "username in (%s)"
+-    #        )
+-    #    sql_params = ",".join(dev_tokens_users)
+-    #    sql_params = (dev_tokens_users,)
+-    #    sql_params = ([str(dev_tokens_users)])
+-    #    cursor.execute(update_new_dev_tokens_statement, [sql_params])
+-    #    cursor.execute("update user_info set dev_token_first_seen = now() "
+-    #                   "where dev_token_first_seen is null and "
+-    #                   "username in (%s)" % ', '.join('?' * len(dev_tokens_users)), dev_tokens_users)
+-    #    update_new_dev_tokens_statement = (
+-    #        "update user_info set dev_token_first_seen = now() "
+-    #        "where dev_token_first_seen is null and "
+-    #        "username in (%s)" % ', '.join('?' * len(dev_tokens_users)), dev_tokens_users
+-    #        )
+-    #    cursor.execute("SELECT foo.y FROM foo WHERE foo.x in (%s)" % ', '.join('?' * len(s)), s)
+-    dev_tokens_string = "', '".join(dev_tokens_users)
+     update_new_dev_tokens_statement = (
+         "update user_info set dev_token_first_seen = now() "
+         "where dev_token_first_seen is null and "
+-        "username in ('" + dev_tokens_string + "')"
++        "username in (" + ("%s, " * (len(dev_tokens_users) - 1)) + "%s)"
+         )
+-    cursor.execute(update_new_dev_tokens_statement)
++#    print("update_new_dev_tokens_statement : " + update_new_dev_tokens_statement)
++    update_dev_tokens_prep_cursor = db_connection.cursor(prepared=True)
++    update_dev_tokens_prep_cursor.execute(update_new_dev_tokens_statement, dev_tokens_users)
+     db_connection.commit()
+     
+     # NOW DO USER SUMMARY STATS
diff --git a/metrics.spec b/metrics.spec
index 5c48401..17a87ab 100644
--- a/metrics.spec
+++ b/metrics.spec
@@ -1,6 +1,6 @@
 Name:                metrics
 Version:             3.1.2
-Release:             1
+Release:             2
 Summary:             Java library which gives you what your code does in production
 License:             ASL 2.0
 URL:                 http://metrics.dropwizard.io
@@ -8,6 +8,7 @@ Source0:             https://github.com/dropwizard/metrics/archive/v%{version}.t
 Patch0:              metrics-3.1.2-amqp-client35.patch
 Patch1:              metrics-3.1.2-ehcache-core.patch
 Patch2:              delete-jersey1-module.patch
+Patch3:              CVE-2022-4860.patch
 BuildRequires:       maven-local mvn(ch.qos.logback:logback-classic)
 BuildRequires:       mvn(com.fasterxml.jackson.core:jackson-databind) mvn(com.google.guava:guava)
 BuildRequires:       mvn(com.rabbitmq:amqp-client) jersey
@@ -182,6 +183,7 @@ find . -name "*.jar" -type f -delete
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 %pom_disable_module metrics-jetty8
 %pom_disable_module metrics-jetty9
 %pom_disable_module metrics-jetty9-legacy
@@ -295,5 +297,8 @@ rm -rf docs/target/singlehtml/.buildinfo
 %endif
 
 %changelog
+* Fri Jan 6 2023 jiangpeng <jiangpeng01@ncti-gba.cn> - 3.1.2-2
+- Fix CVE-2022-4860
+
 * Sat Sep 19 2020 huanghaitao <huanghaitao8@huawei.com> - 3.1.2-1
 - package init
-- 
Gitee