You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@kylin.apache.org by GitBox <gi...@apache.org> on 2020/03/17 01:42:52 UTC

[GitHub] [kylin] shaofengshi commented on a change in pull request #1162: KYLIN-4426 Refine CliCommandExecutor

shaofengshi commented on a change in pull request #1162: KYLIN-4426 Refine CliCommandExecutor
URL: https://github.com/apache/kylin/pull/1162#discussion_r393399944
 
 

 ##########
 File path: core-common/src/main/java/org/apache/kylin/common/util/CliCommandExecutor.java
 ##########
 @@ -163,4 +163,34 @@ private void copyRemote(String localFile, String destDir) throws IOException {
         }
     }
 
+    public static final String COMMAND_INJECT_REX = "[ &`>|{}()$;\\-#~!+*”\\\\]+";
+
+    /**
+     * <pre>
+     * Check parameter for preventing command injection, replace illegal character into empty character.
+     *
+     * Note:
+     * 1. Whitespace is also refused because parameter is a single word, should not contains it
+     * 2. Some character may be illegal but still be accepted because commandParameter maybe a URI/path expression,
+     *     you may check "Character part" in https://docs.oracle.com/javase/8/docs/api/java/net/URI.html,
+     *     here is the character which is not banned.
+     *
+     *     1. dot .
+     *     2. slash /
+     *     3. colon :
+     *     4. equal =
+     *     5. ?
+     *     6. @
+     *     7. bracket []
+     *     8. comma ,
+     *     9. %
+     * </pre>
+     */
+    public static String checkParameter(String commandParameter) {
+        String repaired = commandParameter.replaceAll(COMMAND_INJECT_REX, "");
+        if (repaired.length() != commandParameter.length()) {
+            logger.debug("Detected illegal character in command {}, replace it to {}.", commandParameter, repaired);
 
 Review comment:
   I think "debug" level here is improper; This might be an attack, it's log level should be info or warn.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services