You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@linkis.apache.org by GitBox <gi...@apache.org> on 2023/01/10 02:24:50 UTC
[GitHub] [linkis] aiceflower opened a new pull request, #4105: Handle url contains # and unsafe parameters
aiceflower opened a new pull request, #4105:
URL: https://github.com/apache/linkis/pull/4105
Handle url contains # and unsafe parameters
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [linkis] casionone merged pull request #4105: Handle url contains # and unsafe parameters
Posted by GitBox <gi...@apache.org>.
casionone merged PR #4105:
URL: https://github.com/apache/linkis/pull/4105
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [linkis] casionone commented on a diff in pull request #4105: Handle url contains # and unsafe parameters
Posted by GitBox <gi...@apache.org>.
casionone commented on code in PR #4105:
URL: https://github.com/apache/linkis/pull/4105#discussion_r1065338514
##########
linkis-engineconn-plugins/jdbc/src/main/java/org/apache/linkis/manager/engineplugin/jdbc/utils/JdbcParamUtils.java:
##########
@@ -64,20 +71,63 @@ public static void validateJdbcUrl(String url) {
}
public static String filterJdbcUrl(String url) {
+ if (StringUtils.isBlank(url)) {
+ return url;
+ }
// temporarily filter only mysql jdbc url. & Handles cases that start with JDBC
- if (!url.startsWith(JDBC_MYSQL_PROTOCOL) && !url.toLowerCase().contains(JDBC_MYSQL_PROTOCOL)) {
+ if (!url.toLowerCase().contains(JDBC_MYSQL_PROTOCOL)) {
return url;
}
- if (url.contains(SENSITIVE_PARAM)) {
- int index = url.indexOf(SENSITIVE_PARAM);
- String tmp = SENSITIVE_PARAM;
- if (url.charAt(index - 1) == AND_SYMBOL) {
- tmp = AND_SYMBOL + tmp;
- } else if (url.charAt(index + 1) == AND_SYMBOL) {
- tmp = tmp + AND_SYMBOL;
+
+ // no params
+ if (!url.contains(String.valueOf(QUESTION_MARK))) {
+ return url + QUESTION_MARK + APPEND_PARAMS;
+ }
+
+ // enable strong security
+ if (Boolean.valueOf(MYSQL_STRONG_SECURITY_ENABLE.getValue())) {
+ return url + QUESTION_MARK + APPEND_PARAMS;
+ }
+
+ int two = 2;
+
Review Comment:
it is not necessary
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [linkis] casionone commented on a diff in pull request #4105: Handle url contains # and unsafe parameters
Posted by GitBox <gi...@apache.org>.
casionone commented on code in PR #4105:
URL: https://github.com/apache/linkis/pull/4105#discussion_r1065338244
##########
linkis-dist/package/conf/linkis.properties:
##########
@@ -27,6 +27,7 @@ wds.linkis.server.mybatis.datasource.username=
wds.linkis.server.mybatis.datasource.password=
# mysql
wds.linkis.mysql.is.encrypt=false
+linkis.mysql.strong.security.enable=false
Review Comment:
add info to docs/info-1.3.1.md
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [linkis] casionone commented on a diff in pull request #4105: Handle url contains # and unsafe parameters
Posted by GitBox <gi...@apache.org>.
casionone commented on code in PR #4105:
URL: https://github.com/apache/linkis/pull/4105#discussion_r1065338788
##########
linkis-engineconn-plugins/jdbc/src/main/java/org/apache/linkis/manager/engineplugin/jdbc/utils/JdbcParamUtils.java:
##########
@@ -64,20 +71,63 @@ public static void validateJdbcUrl(String url) {
}
public static String filterJdbcUrl(String url) {
+ if (StringUtils.isBlank(url)) {
+ return url;
+ }
// temporarily filter only mysql jdbc url. & Handles cases that start with JDBC
- if (!url.startsWith(JDBC_MYSQL_PROTOCOL) && !url.toLowerCase().contains(JDBC_MYSQL_PROTOCOL)) {
+ if (!url.toLowerCase().contains(JDBC_MYSQL_PROTOCOL)) {
return url;
}
- if (url.contains(SENSITIVE_PARAM)) {
- int index = url.indexOf(SENSITIVE_PARAM);
- String tmp = SENSITIVE_PARAM;
- if (url.charAt(index - 1) == AND_SYMBOL) {
- tmp = AND_SYMBOL + tmp;
- } else if (url.charAt(index + 1) == AND_SYMBOL) {
- tmp = tmp + AND_SYMBOL;
+
+ // no params
+ if (!url.contains(String.valueOf(QUESTION_MARK))) {
+ return url + QUESTION_MARK + APPEND_PARAMS;
+ }
+
+ // enable strong security
+ if (Boolean.valueOf(MYSQL_STRONG_SECURITY_ENABLE.getValue())) {
+ return url + QUESTION_MARK + APPEND_PARAMS;
Review Comment:
add some log
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org
[GitHub] [linkis] casionone commented on a diff in pull request #4105: Handle url contains # and unsafe parameters
Posted by GitBox <gi...@apache.org>.
casionone commented on code in PR #4105:
URL: https://github.com/apache/linkis/pull/4105#discussion_r1065338651
##########
linkis-public-enhancements/linkis-datasource/linkis-metadata-query/service/jdbc/src/main/java/org/apache/linkis/metadata/query/service/mysql/SqlConnection.java:
##########
@@ -99,6 +116,17 @@ private void validateParams(Map<String, Object> extraParams) {
extraParams.put("allowUrlInLocalInfile", "false");
}
+ private boolean keyAndValueIsNotSecurity(String key, String value, String param) {
+ return !(isSecurity(key, param) && isSecurity(value, param));
Review Comment:
add some log
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@linkis.apache.org
For additional commands, e-mail: notifications-help@linkis.apache.org