[GitHub] [dolphinscheduler] caishunfeng commented on a diff in pull request #9834: [BUG][ALERT-SERVER]validate script before alert script

GitBox Thu, 28 Apr 2022 01:40:17 -0700


caishunfeng commented on code in PR #9834:
URL: https://github.com/apache/dolphinscheduler/pull/9834#discussion_r860633720



##########
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java:
##########
@@ -54,6 +54,21 @@ private AlertResult executeShellScript(String title, String 
content) {
             alertResult.setMessage("shell script not support windows os");
             return alertResult;
         }
+        //validate script path in case of injections
+        File shellScriptFile = new File(scriptPath);

Review Comment:
   It is better to check whether scriptPath is null.



##########
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java:
##########
@@ -54,6 +54,21 @@ private AlertResult executeShellScript(String title, String 
content) {
             alertResult.setMessage("shell script not support windows os");
             return alertResult;
         }
+        //validate script path in case of injections
+        File shellScriptFile = new File(scriptPath);
+        //validate existence
+        if (!shellScriptFile.exists()) {
+            logger.info("shell script not exist : {}", scriptPath);

Review Comment:
   ```suggestion
               logger.error("shell script not exist : {}", scriptPath);
   ```



##########
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java:
##########
@@ -54,6 +54,21 @@ private AlertResult executeShellScript(String title, String 
content) {
             alertResult.setMessage("shell script not support windows os");
             return alertResult;
         }
+        //validate script path in case of injections
+        File shellScriptFile = new File(scriptPath);
+        //validate existence
+        if (!shellScriptFile.exists()) {
+            logger.info("shell script not exist : {}", scriptPath);
+            alertResult.setMessage("shell script not exist : " + scriptPath);
+            return alertResult;
+        }
+        //validate is file
+        if (!shellScriptFile.isFile()) {
+            logger.info("shell script is not a file : {}", scriptPath);

Review Comment:
   ```suggestion
               logger.error("shell script is not a file : {}", scriptPath);
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[GitHub] [dolphinscheduler] caishunfeng commented on a diff in pull request #9834: [BUG][ALERT-SERVER]validate script before alert script

Reply via email to