You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kylin.apache.org by ni...@apache.org on 2020/02/07 14:26:35 UTC
[kylin] 40/44: Prevent uncontrolled data used in path expression
This is an automated email from the ASF dual-hosted git repository.
nic pushed a commit to branch 3.0.x
in repository https://gitbox.apache.org/repos/asf/kylin.git
commit ec7558e87245bacbc09b8472c858c2a85d5ded41
Author: nichunen <ni...@apache.org>
AuthorDate: Mon Jan 20 17:38:39 2020 +0800
Prevent uncontrolled data used in path expression
---
.../main/java/org/apache/kylin/job/execution/ExecutableManager.java | 3 +++
.../org/apache/kylin/metadata/badquery/BadQueryHistoryManager.java | 3 ++-
2 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/core-job/src/main/java/org/apache/kylin/job/execution/ExecutableManager.java b/core-job/src/main/java/org/apache/kylin/job/execution/ExecutableManager.java
index 6f8d789..3e116aa 100644
--- a/core-job/src/main/java/org/apache/kylin/job/execution/ExecutableManager.java
+++ b/core-job/src/main/java/org/apache/kylin/job/execution/ExecutableManager.java
@@ -122,6 +122,7 @@ public class ExecutableManager {
public void updateCheckpointJob(String jobId, List<AbstractExecutable> subTasksForCheck) {
try {
+ jobId = jobId.replaceAll("[./]", "");
final ExecutablePO job = executableDao.getJob(jobId);
Preconditions.checkArgument(job != null, "there is no related job for job id:" + jobId);
@@ -140,6 +141,7 @@ public class ExecutableManager {
//for ut
public void deleteJob(String jobId) {
try {
+ jobId = jobId.replaceAll("[./]", "");
executableDao.deleteJob(jobId);
} catch (PersistentException e) {
logger.error("fail to delete job:" + jobId, e);
@@ -167,6 +169,7 @@ public class ExecutableManager {
public Output getOutput(String uuid) {
try {
+ uuid = uuid.replaceAll("[./]", "");
final ExecutableOutputPO jobOutput = executableDao.getJobOutput(uuid);
Preconditions.checkArgument(jobOutput != null, "there is no related output for job id:" + uuid);
return parseOutput(jobOutput);
diff --git a/core-metadata/src/main/java/org/apache/kylin/metadata/badquery/BadQueryHistoryManager.java b/core-metadata/src/main/java/org/apache/kylin/metadata/badquery/BadQueryHistoryManager.java
index 812d3c3..11c4d01 100644
--- a/core-metadata/src/main/java/org/apache/kylin/metadata/badquery/BadQueryHistoryManager.java
+++ b/core-metadata/src/main/java/org/apache/kylin/metadata/badquery/BadQueryHistoryManager.java
@@ -57,7 +57,6 @@ public class BadQueryHistoryManager {
}
public BadQueryHistory getBadQueriesForProject(String project) throws IOException {
- project = project.replaceAll("[./]", "");
BadQueryHistory badQueryHistory = getStore().getResource(getResourcePathForProject(project), BAD_QUERY_INSTANCE_SERIALIZER);
if (badQueryHistory == null) {
badQueryHistory = new BadQueryHistory(project);
@@ -88,10 +87,12 @@ public class BadQueryHistoryManager {
}
public void removeBadQueryHistory(String project) throws IOException {
+ project = project.replaceAll("[./]", "");
getStore().deleteResource(getResourcePathForProject(project));
}
public String getResourcePathForProject(String project) {
+ project = project.replaceAll("[./]", "");
return ResourceStore.BAD_QUERY_RESOURCE_ROOT + "/" + project + MetadataConstants.FILE_SURFIX;
}
}
\ No newline at end of file