You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dolphinscheduler.apache.org by ca...@apache.org on 2022/04/28 10:16:43 UTC

[dolphinscheduler] branch dev updated: [BUG][ALERT-SERVER]validate script before alert script (#9834)

This is an automated email from the ASF dual-hosted git repository.

caishunfeng pushed a commit to branch dev
in repository https://gitbox.apache.org/repos/asf/dolphinscheduler.git


The following commit(s) were added to refs/heads/dev by this push:
     new 69810a8a36 [BUG][ALERT-SERVER]validate script before alert script (#9834)
69810a8a36 is described below

commit 69810a8a36060ae7e138fd7cdffdf2acc9eedd3b
Author: Tq <ti...@gmail.com>
AuthorDate: Thu Apr 28 18:16:37 2022 +0800

    [BUG][ALERT-SERVER]validate script before alert script (#9834)
    
    * validate script before alert script
    
    * fix validate script before alert script
---
 .../plugin/alert/script/ScriptSender.java           | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java b/dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java
index 6302dc9d46..7f255803c4 100644
--- a/dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java
+++ b/dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java
@@ -18,12 +18,12 @@
 package org.apache.dolphinscheduler.plugin.alert.script;
 
 import org.apache.dolphinscheduler.alert.api.AlertResult;
-
-import java.util.Map;
-
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.io.File;
+import java.util.Map;
+
 public final class ScriptSender {
     private static final Logger logger = LoggerFactory.getLogger(ScriptSender.class);
     private static final String ALERT_TITLE_OPTION = " -t ";
@@ -54,6 +54,21 @@ public final class ScriptSender {
             alertResult.setMessage("shell script not support windows os");
             return alertResult;
         }
+        //validate script path in case of injections
+        File shellScriptFile = new File(scriptPath);
+        //validate existence
+        if (!shellScriptFile.exists()) {
+            logger.error("shell script not exist : {}", scriptPath);
+            alertResult.setMessage("shell script not exist : " + scriptPath);
+            return alertResult;
+        }
+        //validate is file
+        if (!shellScriptFile.isFile()) {
+            logger.error("shell script is not a file : {}", scriptPath);
+            alertResult.setMessage("shell script is not a file : " + scriptPath);
+            return alertResult;
+        }
+
         String[] cmd = {"/bin/sh", "-c", scriptPath + ALERT_TITLE_OPTION + "'" + title + "'" + ALERT_CONTENT_OPTION + "'" + content + "'" + ALERT_USER_PARAMS_OPTION + "'" + userParams + "'"};
         int exitCode = ProcessUtils.executeScript(cmd);