You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dolphinscheduler.apache.org by ca...@apache.org on 2022/09/21 00:51:50 UTC
[dolphinscheduler] branch 3.1.0-prepare updated: Script cannot contains ''' in params (#12068)

This is an automated email from the ASF dual-hosted git repository.

caishunfeng pushed a commit to branch 3.1.0-prepare
in repository https://gitbox.apache.org/repos/asf/dolphinscheduler.git


The following commit(s) were added to refs/heads/3.1.0-prepare by this push:
     new c286c5567a Script cannot contains ''' in params (#12068)
c286c5567a is described below

commit c286c5567a018c55fa815a68692c7cf017469941
Author: Wenjun Ruan <we...@apache.org>
AuthorDate: Wed Sep 21 08:51:44 2022 +0800

    Script cannot contains ''' in params (#12068)
    
    (cherry picked from commit f40a831453b3577249e011bad1fbe4c69fc6e9bc)
---
 .../plugin/alert/script/ScriptSender.java          | 32 ++++++++++++++++++----
 .../plugin/alert/script/ScriptSenderTest.java      |  8 ++++++
 2 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java b/dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java
index 7f255803c4..3f6e690f03 100644
--- a/dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java
+++ b/dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java
@@ -18,13 +18,15 @@
 package org.apache.dolphinscheduler.plugin.alert.script;
 
 import org.apache.dolphinscheduler.alert.api.AlertResult;
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 
 import java.io.File;
 import java.util.Map;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
 public final class ScriptSender {
+
     private static final Logger logger = LoggerFactory.getLogger(ScriptSender.class);
     private static final String ALERT_TITLE_OPTION = " -t ";
     private static final String ALERT_CONTENT_OPTION = " -c ";
@@ -54,22 +56,40 @@ public final class ScriptSender {
             alertResult.setMessage("shell script not support windows os");
             return alertResult;
         }
-        //validate script path in case of injections
+        // validate script path in case of injections
         File shellScriptFile = new File(scriptPath);
-        //validate existence
+        // validate existence
         if (!shellScriptFile.exists()) {
             logger.error("shell script not exist : {}", scriptPath);
             alertResult.setMessage("shell script not exist : " + scriptPath);
             return alertResult;
         }
-        //validate is file
+        // validate is file
         if (!shellScriptFile.isFile()) {
             logger.error("shell script is not a file : {}", scriptPath);
             alertResult.setMessage("shell script is not a file : " + scriptPath);
             return alertResult;
         }
 
-        String[] cmd = {"/bin/sh", "-c", scriptPath + ALERT_TITLE_OPTION + "'" + title + "'" + ALERT_CONTENT_OPTION + "'" + content + "'" + ALERT_USER_PARAMS_OPTION + "'" + userParams + "'"};
+        // avoid command injection (RCE vulnerability)
+        if (userParams.contains("'")) {
+            logger.error("shell script illegal user params : {}", userParams);
+            alertResult.setMessage("shell script illegal user params : " + userParams);
+            return alertResult;
+        }
+        if (title.contains("'")) {
+            logger.error("shell script illegal title : {}", title);
+            alertResult.setMessage("shell script illegal title : " + title);
+            return alertResult;
+        }
+        if (content.contains("'")) {
+            logger.error("shell script illegal content : {}", content);
+            alertResult.setMessage("shell script illegal content : " + content);
+            return alertResult;
+        }
+
+        String[] cmd = {"/bin/sh", "-c", scriptPath + ALERT_TITLE_OPTION + "'" + title + "'" + ALERT_CONTENT_OPTION
+                + "'" + content + "'" + ALERT_USER_PARAMS_OPTION + "'" + userParams + "'"};
         int exitCode = ProcessUtils.executeScript(cmd);
 
         if (exitCode == 0) {
diff --git a/dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/test/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSenderTest.java b/dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/test/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSenderTest.java
index 445d0738b5..64a811d474 100644
--- a/dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/test/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSenderTest.java
+++ b/dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/test/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSenderTest.java
@@ -53,4 +53,12 @@ public class ScriptSenderTest {
         Assert.assertEquals("false", alertResult.getStatus());
     }
 
+    @Test
+    public void testScriptSenderInjectionTest() {
+        scriptConfig.put(ScriptParamsConstants.NAME_SCRIPT_USER_PARAMS, "' ; calc.exe ; '");
+        ScriptSender scriptSender = new ScriptSender(scriptConfig);
+        AlertResult alertResult = scriptSender.sendScriptAlert("test title Kris", "test content");
+        Assert.assertEquals("false", alertResult.getStatus());
+    }
+
 }