Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries.
apache kylin
apache kylin 3.0.0