You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2021/03/29 22:45:49 UTC
[GitHub] [druid] jihoonson opened a new pull request #11047: Allow list for JDBC connection properties to address CVE-2021-26919
jihoonson opened a new pull request #11047:
URL: https://github.com/apache/druid/pull/11047
### Description
This is a backport PR of https://github.com/apache/druid/commit/48953e3508967f5156c69676432b5d4dd25ea678. [CVE-2021-26919](https://lists.apache.org/thread.html/rd87451fce34df54796e66321c40d743a68fb4553d72e7f6f0bc62ebd%40%3Cdev.druid.apache.org%3E) is filed for the security vulnerability of remote code execution using vulnerable MySQL JDBC properties. This PR adds an allow list for JDBC connection properties that is enforced against every JDBC connections for ingestion and lookups but not metadata stores. The allow list is enforced to connections to postgresql as well as mysql. This is because, even though the known security vulnerability can be exploitable with only MySQL, we want to be conservative and avoid the same issue even with PostgreSQL that can be potentially exploitable in the future. The JDBC connection will fail if it uses a property that is not in the allow list.
Implementation-wise, this PR uses vendor-specific libraries to parse JDBC connection URLs because the JDBC URL format is diverse across different vendors. This introduces new compatibility issues.
1) The JDBC driver version in the classpath at runtime should be compatible to the version that is used for URL parsing at compile time.
2) Druid can enforce the allow list to only the JDBC connections that it knows how to parse. However, we should restrict allowed JDBC properties for other database systems to avoid similar issues that can be potentially found in the future.
As a result, URL parsing should be a short-term workaround to mitigate this vulnerability. Longer term, we should rather disallow arbitrary URLs in JDBC connections. Instead, we can only accept connection properties individually including host, port and user name.
<hr>
##### Key changed/added classes in this PR
* `JdbcAccessSecurityConfig`
* `JdbcExtractionNamespace`
* `JdbcFetcher`
* `MySQLFirehoseDatabaseConnector`
* `PostgresqlFirehoseDatabaseConnector`
<hr>
This PR has:
- [x] been self-reviewed.
- [ ] using the [concurrency checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md) (Remove this item if the PR doesn't have any relation to concurrency.)
- [x] added documentation for new or modified features or behaviors.
- [x] added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
- [ ] added or updated version, license, or notice information in [licenses.yaml](https://github.com/apache/druid/blob/master/dev/license.md)
- [ ] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
- [x] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for [code coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md) is met.
- [ ] added integration tests.
- [x] been tested in a test Druid cluster.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] jihoonson merged pull request #11047: Allow list for JDBC connection properties to address CVE-2021-26919
Posted by GitBox <gi...@apache.org>.
jihoonson merged pull request #11047:
URL: https://github.com/apache/druid/pull/11047
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org