You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@inlong.apache.org by do...@apache.org on 2023/01/11 05:13:27 UTC
[inlong] branch master updated: [INLONG-7213][Manager] Add encoding check to the MySQL JDBC URL (#7214)
This is an automated email from the ASF dual-hosted git repository.
dockerzhang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/inlong.git
The following commit(s) were added to refs/heads/master by this push:
new 9008b6dcb [INLONG-7213][Manager] Add encoding check to the MySQL JDBC URL (#7214)
9008b6dcb is described below
commit 9008b6dcb8cc88bbcfed4872b2227abfa929982b
Author: fuweng11 <76...@users.noreply.github.com>
AuthorDate: Wed Jan 11 13:13:22 2023 +0800
[INLONG-7213][Manager] Add encoding check to the MySQL JDBC URL (#7214)
---
.../manager/pojo/sink/mysql/MySQLSinkDTO.java | 34 ++++++++++----
.../manager/pojo/sink/mysql/MySQLSinkDTOTest.java | 53 ++++++++++++++++++----
2 files changed, 68 insertions(+), 19 deletions(-)
diff --git a/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java b/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
index 6363a8ec1..ca6752a6a 100644
--- a/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
+++ b/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
@@ -32,6 +32,8 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.validation.constraints.NotNull;
+import java.net.URLDecoder;
+import java.util.HashMap;
import java.util.List;
import java.util.Map;
@@ -47,8 +49,16 @@ public class MySQLSinkDTO {
/**
* The sensitive param may lead the attack.
*/
- private static final String SENSITIVE_PARAM_TRUE = "autoDeserialize=true";
- private static final String SENSITIVE_PARAM_FALSE = "autoDeserialize=false";
+ private static final Map<String, String> SENSITIVE_PARAM_MAP = new HashMap<String, String>() {
+
+ {
+ put("autoDeserialize=true", "autoDeserialize=false");
+ put("allowLoadLocalInfile=true", "allowLoadLocalInfile=false");
+ put("allowUrlInLocalInfile=true", "allowUrlInLocalInfile=false");
+ put("allowLoadLocalInfileInPath=/", "allowLoadLocalInfileInPath=");
+ }
+ };
+
private static final Logger LOGGER = LoggerFactory.getLogger(MySQLSinkDTO.class);
@ApiModelProperty("MySQL JDBC URL, such as jdbc:mysql://host:port/database")
@@ -178,14 +188,20 @@ public class MySQLSinkDTO {
if (StringUtils.isBlank(url)) {
return url;
}
-
- String resultUrl = url;
- if (StringUtils.containsIgnoreCase(url, SENSITIVE_PARAM_TRUE)) {
- resultUrl = StringUtils.replaceIgnoreCase(url, SENSITIVE_PARAM_TRUE, SENSITIVE_PARAM_FALSE);
+ try {
+ String resultUrl = URLDecoder.decode(url, "UTF-8");
+ for (String sensitiveParam : SENSITIVE_PARAM_MAP.keySet()) {
+ if (StringUtils.containsIgnoreCase(resultUrl, sensitiveParam)) {
+ resultUrl = StringUtils.replaceIgnoreCase(resultUrl, sensitiveParam,
+ SENSITIVE_PARAM_MAP.get(sensitiveParam));
+ }
+ }
+ LOGGER.info("the origin url [{}] was replaced to: [{}]", url, resultUrl);
+ return resultUrl;
+ } catch (Exception e) {
+ throw new BusinessException(ErrorCodeEnum.SINK_INFO_INCORRECT,
+ ErrorCodeEnum.SINK_INFO_INCORRECT.getMessage() + ": " + e.getMessage());
}
-
- LOGGER.debug("the origin url [{}] was replaced to: [{}]", url, resultUrl);
- return resultUrl;
}
}
diff --git a/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java b/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
index 82d6129b4..79f357daf 100644
--- a/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
+++ b/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
@@ -20,25 +20,58 @@ package org.apache.inlong.manager.pojo.sink.mysql;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
+import java.net.URLEncoder;
+
/**
* Test for {@link MySQLSinkDTO}
*/
public class MySQLSinkDTOTest {
@Test
- public void testFilterSensitive() {
- // the sensitive params at the first
- String originUrl = MySQLSinkDTO.filterSensitive("autoDeserialize=TRue&autoReconnect=true");
- Assertions.assertEquals("autoDeserialize=false&autoReconnect=true", originUrl);
+ public void testFilterSensitive() throws Exception {
+ // the sensitive params no use url code
+ String originUrl = MySQLSinkDTO.filterSensitive(
+ "autoDeserialize=TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true");
+ Assertions.assertEquals(
+ "autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=&autoReconnect=true",
+ originUrl);
+
+ originUrl = MySQLSinkDTO.filterSensitive(
+ "autoReconnect=true&autoDeserialize=TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
+ Assertions.assertEquals(
+ "autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+ originUrl);
+
+ originUrl = MySQLSinkDTO.filterSensitive(
+ "autoDeserialize=TRue&allowLoadLocalInfile=TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
+ Assertions.assertEquals(
+ "autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+ originUrl);
+
+ // the sensitive params use url code
+ originUrl = MySQLSinkDTO.filterSensitive(
+ URLEncoder.encode(
+ "autoDeserialize=TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true",
+ "UTF-8"));
+ Assertions.assertEquals(
+ "autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=&autoReconnect=true",
+ originUrl);
- // the sensitive params at the end
- originUrl = MySQLSinkDTO.filterSensitive("autoReconnect=true&autoDeserialize=trUE");
- Assertions.assertEquals("autoReconnect=true&autoDeserialize=false", originUrl);
+ originUrl = MySQLSinkDTO.filterSensitive(
+ URLEncoder.encode(
+ "autoReconnect=true&autoDeserialize=TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
+ "UTF-8"));
+ Assertions.assertEquals(
+ "autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+ originUrl);
- // the sensitive params in the middle
originUrl = MySQLSinkDTO.filterSensitive(
- "useSSL=false&autoDeserialize=TRUE&autoReconnect=true");
- Assertions.assertEquals("useSSL=false&autoDeserialize=false&autoReconnect=true", originUrl);
+ URLEncoder.encode(
+ "autoDeserialize=TRue&allowLoadLocalInfile=TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
+ "UTF-8"));
+ Assertions.assertEquals(
+ "autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+ originUrl);
}
}