feat: added new feature gate for parameterized queries

Signed-off-by: Neko Ayaka <[email protected]>

pkg/storage/internalstorage/features.go

@@ -12,6 +12,16 @@ const (
 	// owner: @cleverhu
 	// alpha: v0.3.0
 	AllowRawSQLQuery featuregate.Feature = "AllowRawSQLQuery"
+
+	// AllowParameterizedSQLQuery is a feature gate for the apiserver to allow querying by the parameterized SQL
+	// for better defense against SQL injection.
+	//
+	// Use either single whereSQLStatement field, a pair of whereSQLStatement with whereSQLParam, or
+	// whereSQLStatement with whereSQLJSONParams to pass the SQL it self and parameters.
+	//
+	// owner: @nekomeowww
+	// alpha: v0.8.0
+	AllowParameterizedSQLQuery featuregate.Feature = "AllowParameterizedSQLQuery"
 )
 
 func init() {
@@ -21,5 +31,6 @@ func init() {
 // defaultInternalStorageFeatureGates consists of all known custom internalstorage feature keys.
 // To add a new feature, define a key for it above and add it here.
 var defaultInternalStorageFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
-	AllowRawSQLQuery: {Default: false, PreRelease: featuregate.Alpha},
+	AllowRawSQLQuery:           {Default: false, PreRelease: featuregate.Alpha},
+	AllowParameterizedSQLQuery: {Default: false, PreRelease: featuregate.Alpha},
 }

pkg/storage/internalstorage/util.go

@@ -218,7 +218,7 @@ func applyListOptionsToQuery(query *gorm.DB, opts *internal.ListOptions, applyFn
 		query,
 		opts.URLQuery,
 		utilfeature.DefaultMutableFeatureGate.Enabled(AllowRawSQLQuery),
-		false,
+		utilfeature.DefaultMutableFeatureGate.Enabled((AllowParameterizedSQLQuery)),
 	)
 	if err != nil {
 		return 0, nil, nil, err