You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dolphinscheduler.apache.org by GitBox <gi...@apache.org> on 2022/04/28 08:35:50 UTC
[GitHub] [dolphinscheduler] Tianqi-Dotes opened a new pull request, #9834: [BUG][ALERT-SERVER]validate script before alert script
Tianqi-Dotes opened a new pull request, #9834:
URL: https://github.com/apache/dolphinscheduler/pull/9834
<!--Thanks very much for contributing to Apache DolphinScheduler. Please review https://dolphinscheduler.apache.org/en-us/community/development/pull-request.html before opening a pull request.-->
## Purpose of the pull request
validate script before alert script
## Brief change log
validate script before alert script
## Verify this pull request
have tested locally.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] caishunfeng merged pull request #9834: [BUG][ALERT-SERVER]validate script before alert script
Posted by GitBox <gi...@apache.org>.
caishunfeng merged PR #9834:
URL: https://github.com/apache/dolphinscheduler/pull/9834
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] Tianqi-Dotes commented on a diff in pull request #9834: [BUG][ALERT-SERVER]validate script before alert script
Posted by GitBox <gi...@apache.org>.
Tianqi-Dotes commented on code in PR #9834:
URL: https://github.com/apache/dolphinscheduler/pull/9834#discussion_r860639360
##########
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java:
##########
@@ -54,6 +54,21 @@ private AlertResult executeShellScript(String title, String content) {
alertResult.setMessage("shell script not support windows os");
return alertResult;
}
+ //validate script path in case of injections
+ File shellScriptFile = new File(scriptPath);
Review Comment:
`path` won't be null is must filled when creating
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] caishunfeng commented on a diff in pull request #9834: [BUG][ALERT-SERVER]validate script before alert script
Posted by GitBox <gi...@apache.org>.
caishunfeng commented on code in PR #9834:
URL: https://github.com/apache/dolphinscheduler/pull/9834#discussion_r860633720
##########
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java:
##########
@@ -54,6 +54,21 @@ private AlertResult executeShellScript(String title, String content) {
alertResult.setMessage("shell script not support windows os");
return alertResult;
}
+ //validate script path in case of injections
+ File shellScriptFile = new File(scriptPath);
Review Comment:
It is better to check whether scriptPath is null.
##########
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java:
##########
@@ -54,6 +54,21 @@ private AlertResult executeShellScript(String title, String content) {
alertResult.setMessage("shell script not support windows os");
return alertResult;
}
+ //validate script path in case of injections
+ File shellScriptFile = new File(scriptPath);
+ //validate existence
+ if (!shellScriptFile.exists()) {
+ logger.info("shell script not exist : {}", scriptPath);
Review Comment:
```suggestion
logger.error("shell script not exist : {}", scriptPath);
```
##########
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java:
##########
@@ -54,6 +54,21 @@ private AlertResult executeShellScript(String title, String content) {
alertResult.setMessage("shell script not support windows os");
return alertResult;
}
+ //validate script path in case of injections
+ File shellScriptFile = new File(scriptPath);
+ //validate existence
+ if (!shellScriptFile.exists()) {
+ logger.info("shell script not exist : {}", scriptPath);
+ alertResult.setMessage("shell script not exist : " + scriptPath);
+ return alertResult;
+ }
+ //validate is file
+ if (!shellScriptFile.isFile()) {
+ logger.info("shell script is not a file : {}", scriptPath);
Review Comment:
```suggestion
logger.error("shell script is not a file : {}", scriptPath);
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] Tianqi-Dotes commented on a diff in pull request #9834: [BUG][ALERT-SERVER]validate script before alert script
Posted by GitBox <gi...@apache.org>.
Tianqi-Dotes commented on code in PR #9834:
URL: https://github.com/apache/dolphinscheduler/pull/9834#discussion_r860637190
##########
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java:
##########
@@ -54,6 +54,21 @@ private AlertResult executeShellScript(String title, String content) {
alertResult.setMessage("shell script not support windows os");
return alertResult;
}
+ //validate script path in case of injections
+ File shellScriptFile = new File(scriptPath);
+ //validate existence
+ if (!shellScriptFile.exists()) {
+ logger.info("shell script not exist : {}", scriptPath);
Review Comment:
done
##########
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java:
##########
@@ -54,6 +54,21 @@ private AlertResult executeShellScript(String title, String content) {
alertResult.setMessage("shell script not support windows os");
return alertResult;
}
+ //validate script path in case of injections
+ File shellScriptFile = new File(scriptPath);
+ //validate existence
+ if (!shellScriptFile.exists()) {
+ logger.info("shell script not exist : {}", scriptPath);
+ alertResult.setMessage("shell script not exist : " + scriptPath);
+ return alertResult;
+ }
+ //validate is file
+ if (!shellScriptFile.isFile()) {
+ logger.info("shell script is not a file : {}", scriptPath);
Review Comment:
done
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] sonarcloud[bot] commented on pull request #9834: [BUG][ALERT-SERVER]validate script before alert script
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #9834:
URL: https://github.com/apache/dolphinscheduler/pull/9834#issuecomment-1111954608
SonarCloud Quality Gate failed. [](https://sonarcloud.io/dashboard?id=apache-dolphinscheduler&pullRequest=9834)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=9834&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=9834&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=9834&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=9834&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=9834&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=9834&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=9834&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=9834&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=9834&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=9834&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=9834&resolved=false&types=CODE_SMELL) [2 Code Smells](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=9834&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=9834&metric=new_coverage&view=list) [13.5% Coverage](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=9834&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=9834&metric=new_duplicated_lines_density&view=list) [27.5% Duplication](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=9834&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org