You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dolphinscheduler.apache.org by ke...@apache.org on 2022/09/15 11:15:43 UTC
[dolphinscheduler] 01/01: Add validations of possible malicious keys
This is an automated email from the ASF dual-hosted git repository.
kezhenxu94 pushed a commit to branch mysql/cve
in repository https://gitbox.apache.org/repos/asf/dolphinscheduler.git
commit e5fe44f19e0072089664fb9b295a38a7414d7d1d
Author: kezhenxu94 <ke...@apache.org>
AuthorDate: Thu Sep 15 19:15:34 2022 +0800
Add validations of possible malicious keys
---
.../api/datasource/AbstractDataSourceProcessor.java | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java b/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java
index 04c619d955..9837a0fe6e 100644
--- a/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java
+++ b/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java
@@ -26,8 +26,11 @@ import org.apache.commons.collections4.MapUtils;
import java.text.MessageFormat;
import java.util.Map;
+import java.util.Set;
import java.util.regex.Pattern;
+import com.google.common.collect.Sets;
+
public abstract class AbstractDataSourceProcessor implements DataSourceProcessor {
private static final Pattern IPV4_PATTERN = Pattern.compile("^[a-zA-Z0-9\\_\\-\\.\\,]+$");
@@ -38,6 +41,8 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor
private static final Pattern PARAMS_PATTER = Pattern.compile("^[a-zA-Z0-9\\-\\_\\/\\@\\.]+$");
+ private static final Set<String> POSSIBLE_MALICIOUS_KEYS = Sets.newHashSet("allowLoadLocalInfile");
+
@Override
public void checkDatasourceParam(BaseDataSourceParamDTO baseDataSourceParamDTO) {
checkHost(baseDataSourceParamDTO.getHost());
@@ -76,6 +81,9 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor
if (MapUtils.isEmpty(other)) {
return;
}
+ if (!Sets.intersection(other.keySet(), POSSIBLE_MALICIOUS_KEYS).isEmpty()) {
+ throw new IllegalArgumentException("Other params include possible malicious keys.");
+ }
boolean paramsCheck = other.entrySet().stream().allMatch(p -> PARAMS_PATTER.matcher(p.getValue()).matches());
if (!paramsCheck) {
throw new IllegalArgumentException("datasource other params illegal");
@@ -85,6 +93,7 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor
@Override
public String getDatasourceUniqueId(ConnectionParam connectionParam, DbType dbType) {
BaseConnectionParam baseConnectionParam = (BaseConnectionParam) connectionParam;
- return MessageFormat.format("{0}@{1}@{2}@{3}", dbType.getDescp(), baseConnectionParam.getUser(), PasswordUtils.encodePassword(baseConnectionParam.getPassword()), baseConnectionParam.getJdbcUrl());
+ return MessageFormat.format("{0}@{1}@{2}@{3}", dbType.getDescp(), baseConnectionParam.getUser(),
+ PasswordUtils.encodePassword(baseConnectionParam.getPassword()), baseConnectionParam.getJdbcUrl());
}
}