This is an automated email from the ASF dual-hosted git repository.
zhongjiajie pushed a commit to branch 3.2.1-prepare
in repository https://gitbox.apache.org/repos/asf/dolphinscheduler.git
commit ca93aa8e260b4e227c054d42aca20b272574e851
Author: caishunfeng <caishunfeng2...@gmail.com>
AuthorDate: Mon Feb 5 10:23:47 2024 +0800
fix switch js (#15487)
Co-authored-by: Rick Cheng <rickche...@gmail.com>
Co-authored-by: Eric Gao <ericgao.apa...@gmail.com>
(cherry picked from commit ef9ed3db55cb1647886b06c2b2c6a5cfcdccfb5c)
---
.../server/master/utils/SwitchTaskUtils.java | 17 +++++++++++++++++
.../server/master/utils/SwitchTaskUtilsTest.java | 14 ++++++++++++++
2 files changed, 31 insertions(+)
diff --git
a/dolphinscheduler-master/src/main/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtils.java
b/dolphinscheduler-master/src/main/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtils.java
index 4e1c303138..f4ebd0c60c 100644
---
a/dolphinscheduler-master/src/main/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtils.java
+++
b/dolphinscheduler-master/src/main/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtils.java
@@ -23,6 +23,7 @@ import
org.apache.dolphinscheduler.plugin.task.api.utils.ParameterUtils;
import org.apache.commons.collections4.MapUtils;
import java.util.Map;
+import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -33,6 +34,7 @@ import javax.script.ScriptException;
import lombok.extern.slf4j.Slf4j;
import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;
@Slf4j
public class SwitchTaskUtils {
@@ -41,6 +43,15 @@ public class SwitchTaskUtils {
private static final ScriptEngine engine;
private static final String rgex = "['\"]*\\$\\{(.*?)\\}['\"]*";
+ private static final Set<String> blackKeySet = Sets.newHashSet(
+ "java",
+ "invoke",
+ "new",
+ "eval",
+ "function",
+ "import",
+ "\\\\");
+
static {
manager = new ScriptEngineManager();
engine = manager.getEngineByName("js");
@@ -83,6 +94,12 @@ public class SwitchTaskUtils {
content = content.replace("${" + paramName + "}", value);
}
+ for (String blackKey : blackKeySet) {
+ if (content.contains(blackKey)) {
+ throw new IllegalArgumentException("condition is not valid,
please check it. condition: " + condition);
+ }
+ }
+
// if not replace any params, throw exception to avoid illegal
condition
if (originContent.equals(content)) {
throw new IllegalArgumentException("condition is not valid, please
check it. condition: " + condition);
diff --git
a/dolphinscheduler-master/src/test/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtilsTest.java
b/dolphinscheduler-master/src/test/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtilsTest.java
index 044e916f56..18e97f8e80 100644
---
a/dolphinscheduler-master/src/test/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtilsTest.java
+++
b/dolphinscheduler-master/src/test/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtilsTest.java
@@ -52,5 +52,19 @@ public class SwitchTaskUtilsTest {
Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> {
SwitchTaskUtils.generateContentWithTaskParams(content,
globalParams, varParams);
});
+
+ String cmd = "bash /tmp/shell";
+ String cmdContent = "java.lang.Runtime.getRuntime().exec(\"${cmd}\")";
+ globalParams.put("cmd", new Property("cmd", Direct.IN,
DataType.VARCHAR, cmd));
+ Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> {
+ SwitchTaskUtils.generateContentWithTaskParams(cmdContent,
globalParams, varParams);
+ });
+
+ String contentWithUnicode =
+
"\\\\u006a\\\\u0061\\\\u0076\\\\u0061\\\\u002e\\\\u006c\\\\u0061\\\\u006e\\\\u0067\\\\u002e\\\\u0052\\\\u0075\\\\u006e\\\\u0074\\\\u0069\\\\u006d\\\\u0065.getRuntime().exec(\\\"open
-a Calculator.app\\";
+ Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> {
+ SwitchTaskUtils.generateContentWithTaskParams(contentWithUnicode,
globalParams, varParams);
+ });
+
}
}
