This is an automated email from the ASF dual-hosted git repository.
zihaoxiang pushed a commit to branch dev
in repository https://gitbox.apache.org/repos/asf/dolphinscheduler.git
The following commit(s) were added to refs/heads/dev by this push:
new 60b019b729 [Improvement] Fix the git url command injection in pytorch
task(#15873) (#15950)
60b019b729 is described below
commit 60b019b729a5bb1c05e5627d85b1a903546100a8
Author: cntiger <[email protected]>
AuthorDate: Thu May 9 14:50:27 2024 +0800
[Improvement] Fix the git url command injection in pytorch task(#15873)
(#15950)
* fix the git url command injection danger(#15873)
* [Improvement] Fix the git url command injection in pytorch,format code
style task(#15873)
---------
Co-authored-by: cntigers <Xiaohu4321@>
Co-authored-by: Rick Cheng <[email protected]>
---
.../dolphinscheduler/plugin/task/pytorch/GitProjectManager.java | 4 ++--
.../dolphinscheduler/plugin/task/pytorch/PytorchTaskTest.java | 6 ++++++
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git
a/dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/src/main/java/org/apache/dolphinscheduler/plugin/task/pytorch/GitProjectManager.java
b/dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/src/main/java/org/apache/dolphinscheduler/plugin/task/pytorch/GitProjectManager.java
index 3189f26920..5f1e815c30 100644
---
a/dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/src/main/java/org/apache/dolphinscheduler/plugin/task/pytorch/GitProjectManager.java
+++
b/dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/src/main/java/org/apache/dolphinscheduler/plugin/task/pytorch/GitProjectManager.java
@@ -33,12 +33,12 @@ import lombok.extern.slf4j.Slf4j;
public class GitProjectManager {
public static final String GIT_PATH_LOCAL = "GIT_PROJECT";
- private static final Pattern GIT_CHECK_PATTERN =
Pattern.compile("^(git@|https?://)");
+ private static final Pattern GIT_CHECK_PATTERN =
Pattern.compile("^(git@|https?://)(?![&|])[^&|]+$");
private String path;
private String baseDir = ".";
public static boolean isGitPath(String path) {
- return GIT_CHECK_PATTERN.matcher(path).find();
+ return GIT_CHECK_PATTERN.matcher(path).matches();
}
public void prepareProject() throws Exception {
diff --git
a/dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/src/test/java/org/apache/dolphinscheduler/plugin/task/pytorch/PytorchTaskTest.java
b/dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/src/test/java/org/apache/dolphinscheduler/plugin/task/pytorch/PytorchTaskTest.java
index c213021607..e35a175df1 100644
---
a/dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/src/test/java/org/apache/dolphinscheduler/plugin/task/pytorch/PytorchTaskTest.java
+++
b/dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/src/test/java/org/apache/dolphinscheduler/plugin/task/pytorch/PytorchTaskTest.java
@@ -72,6 +72,12 @@ public class PytorchTaskTest {
}
+ @Test
+ public void testGitProjectUrlInjection() {
+ Assertions.assertFalse(GitProjectManager.isGitPath("git@& cat
/etc/passwd >/poc.txt #"));
+ Assertions.assertFalse(GitProjectManager.isGitPath("git@| cat
/etc/passwd >/poc.txt #"));
+ }
+
@Test
public void testGitProject() {
