enhance row count retrieval: add AWS-specific estimation and fallback mechanism#1270
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| private isAWSConnection(): boolean { | ||
| const { host } = this.connection; | ||
|
|
||
| if (host.includes('cassandra') && host.includes('amazonaws.com')) { |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 months ago
To fix the issue, we need to parse the host value and validate it against a whitelist of allowed AWS domains or patterns. Instead of using host.includes('amazonaws.com'), we should use a stricter check that ensures the host ends with .amazonaws.com and does not contain any unexpected subdomains. This can be achieved using a combination of URL parsing and regular expressions.
The fix involves:
- Parsing the
hostvalue to ensure it is a valid domain. - Checking that the host ends with
.amazonaws.comand matches expected patterns (e.g.,*.amazonaws.comorec2-*.compute.amazonaws.com). - Replacing the substring checks with these stricter validations.
| @@ -710,13 +710,9 @@ | ||
|
|
||
| if (host.includes('cassandra') && host.includes('amazonaws.com')) { | ||
| return true; | ||
| } | ||
|
|
||
| if (host.includes('amazonaws.com')) { | ||
| return true; | ||
| } | ||
|
|
||
| const awsHostRegex = /^([a-zA-Z0-9-]+\.)*amazonaws\.com$/i; | ||
| const ec2HostRegex = /^(ec2-).*([.]compute[.]amazonaws[.]com)$/i; | ||
| if (ec2HostRegex.test(host)) { | ||
| return true; | ||
|
|
||
| if (awsHostRegex.test(host)) { | ||
| if (host.includes('cassandra') || ec2HostRegex.test(host)) { | ||
| return true; | ||
| } | ||
| } |
| return true; | ||
| } | ||
|
|
||
| if (host.includes('amazonaws.com')) { |
Check failure
Code scanning / CodeQL
Incomplete URL substring sanitization High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 11 months ago
To fix the problem, we should parse the host string and check if it matches exactly amazonaws.com or is a subdomain of amazonaws.com (e.g., cassandra.amazonaws.com, ec2-xx-xx-xx-xx.compute.amazonaws.com). This can be done by splitting the host into its labels and checking if the last two labels are amazonaws.com, or by using a regular expression that matches only valid AWS hostnames. The fix should be applied in the isAWSConnection method, replacing the substring check with a more robust check. No new dependencies are required, as this can be done with standard string or regex operations.
| @@ -710,3 +710,7 @@ | ||
|
|
||
| if (host.includes('cassandra') && host.includes('amazonaws.com')) { | ||
| // Check for AWS Cassandra service host | ||
| if ( | ||
| host === 'cassandra.amazonaws.com' || | ||
| host.endsWith('.cassandra.amazonaws.com') | ||
| ) { | ||
| return true; | ||
| @@ -714,3 +718,7 @@ | ||
|
|
||
| if (host.includes('amazonaws.com')) { | ||
| // Check for any subdomain of amazonaws.com (e.g., ec2-xx-xx-xx-xx.compute.amazonaws.com) | ||
| if ( | ||
| host === 'amazonaws.com' || | ||
| host.endsWith('.amazonaws.com') | ||
| ) { | ||
| return true; |
2 participants
No description provided.