You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@inlong.apache.org by GitBox <gi...@apache.org> on 2022/09/14 12:04:10 UTC

[GitHub] [inlong] EMsnap opened a new pull request, #5896: [INLONG-5889][Sort] Fix MySQL Node JDBC Url for RCE vulnerability

EMsnap opened a new pull request, #5896:
URL: https://github.com/apache/inlong/pull/5896

   - Fixes #5889 
   
   ### Motivation
   
   Fix MySQL Node JDBC Url for RCE vulnerability
   
   ### Modifications
   
   Fix MySQL Node JDBC Url for RCE vulnerability
   
   ### Verifying this change
   
   run ut 
   
   ### Documentation
   
     - Does this pull request introduce a new feature? (no)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [inlong] gong commented on a diff in pull request #5896: [INLONG-5889][Sort] Fix MySQL Node JDBC Url For RCE Vulnerability

Posted by GitBox <gi...@apache.org>.

gong commented on code in PR #5896:
URL: https://github.com/apache/inlong/pull/5896#discussion_r970767201


##########
inlong-sort/sort-connectors/jdbc/src/main/java/org/apache/inlong/sort/jdbc/table/JdbcDynamicTableFactory.java:
##########
@@ -219,6 +221,7 @@ public DynamicTableSource createDynamicTableSource(Context context) {
 
     private JdbcOptions getJdbcOptions(ReadableConfig readableConfig) {
         final String url = readableConfig.get(URL);
+        JdbcUrlUtils.replaceInvalidUrlProperty(url);

Review Comment:
   `JdbcUrlUtils.replaceInvalidUrlProperty(url);` return value should be used.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [inlong] dockerzhang merged pull request #5896: [INLONG-5889][Sort] Fix MySQL Node JDBC Url For RCE Vulnerability

Posted by GitBox <gi...@apache.org>.

dockerzhang merged PR #5896:
URL: https://github.com/apache/inlong/pull/5896


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [inlong] EMsnap commented on a diff in pull request #5896: [INLONG-5889][Sort] Fix MySQL Node JDBC Url For RCE Vulnerability

Posted by GitBox <gi...@apache.org>.

EMsnap commented on code in PR #5896:
URL: https://github.com/apache/inlong/pull/5896#discussion_r971450030


##########
inlong-sort/sort-connectors/base/src/main/java/org/apache/inlong/sort/base/util/JdbcUrlUtils.java:
##########
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.inlong.sort.base.util;
+
+import static org.apache.inlong.sort.base.Constants.AUTO_DESERIALIZE_FALSE;
+import static org.apache.inlong.sort.base.Constants.AUTO_DESERIALIZE_TRUE;
+
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * utils for jdbc url
+ */
+public class JdbcUrlUtils {
+
+    private static final Logger LOG = LoggerFactory.getLogger(JdbcUrlUtils.class);
+
+    /**
+     * see https://su18.org/post/jdbc-connection-url-attack/
+     * @param url
+     * @return url after filtering out the invalid property
+     */
+    public static String replaceInvalidUrlProperty(String url) {
+        if (StringUtils.containsIgnoreCase(url, AUTO_DESERIALIZE_TRUE)) {
+            LOG.info("url {} contains invalid property {}, replace it to {}", url,

Review Comment:
   will do thx



##########
inlong-sort/sort-connectors/jdbc/src/main/java/org/apache/inlong/sort/jdbc/table/JdbcDynamicTableFactory.java:
##########
@@ -219,6 +221,7 @@ public DynamicTableSource createDynamicTableSource(Context context) {
 
     private JdbcOptions getJdbcOptions(ReadableConfig readableConfig) {
         final String url = readableConfig.get(URL);
+        JdbcUrlUtils.replaceInvalidUrlProperty(url);

Review Comment:
   noted thx



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [inlong] gong commented on a diff in pull request #5896: [INLONG-5889][Sort] Fix MySQL Node JDBC Url For RCE Vulnerability

Posted by GitBox <gi...@apache.org>.

gong commented on code in PR #5896:
URL: https://github.com/apache/inlong/pull/5896#discussion_r970766182


##########
inlong-sort/sort-connectors/base/src/main/java/org/apache/inlong/sort/base/util/JdbcUrlUtils.java:
##########
@@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.inlong.sort.base.util;
+
+import static org.apache.inlong.sort.base.Constants.AUTO_DESERIALIZE_FALSE;
+import static org.apache.inlong.sort.base.Constants.AUTO_DESERIALIZE_TRUE;
+
+import org.apache.commons.lang3.StringUtils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * utils for jdbc url
+ */
+public class JdbcUrlUtils {
+
+    private static final Logger LOG = LoggerFactory.getLogger(JdbcUrlUtils.class);
+
+    /**
+     * see https://su18.org/post/jdbc-connection-url-attack/
+     * @param url
+     * @return url after filtering out the invalid property
+     */
+    public static String replaceInvalidUrlProperty(String url) {
+        if (StringUtils.containsIgnoreCase(url, AUTO_DESERIALIZE_TRUE)) {
+            LOG.info("url {} contains invalid property {}, replace it to {}", url,

Review Comment:
   Maybe, LOG.warn



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@inlong.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org