[dolphinscheduler] 07/07: Add validations of possible malicious keys (#11966)

Mon, 19 Sep 2022 01:34:19 -0700 

This is an automated email from the ASF dual-hosted git repository.

caishunfeng pushed a commit to branch 3.1.0-prepare
in repository https://gitbox.apache.org/repos/asf/dolphinscheduler.git

commit 775ef98b643cd880179e60a8c17851ae39d6dc9f
Author: kezhenxu94 <[email protected]>
AuthorDate: Fri Sep 16 13:32:59 2022 +0800

    Add validations of possible malicious keys (#11966)
---
 .../api/datasource/AbstractDataSourceProcessor.java           | 11 ++++++++++-
 .../api/datasource/AbstractDataSourceProcessorTest.java       | 10 +++++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git 
a/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java
 
b/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java
index 28217c51d6..fa42dafa85 100644
--- 
a/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java
+++ 
b/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java
@@ -26,8 +26,11 @@ import org.apache.commons.collections4.MapUtils;
 
 import java.text.MessageFormat;
 import java.util.Map;
+import java.util.Set;
 import java.util.regex.Pattern;
 
+import com.google.common.collect.Sets;
+
 public abstract class AbstractDataSourceProcessor implements 
DataSourceProcessor {
 
     private static final Pattern IPV4_PATTERN = 
Pattern.compile("^[a-zA-Z0-9\\_\\-\\.\\,]+$");
@@ -38,6 +41,8 @@ public abstract class AbstractDataSourceProcessor implements 
DataSourceProcessor
 
     private static final Pattern PARAMS_PATTER = 
Pattern.compile("^[a-zA-Z0-9\\-\\_\\/\\@\\.]+$");
 
+    private static final Set<String> POSSIBLE_MALICIOUS_KEYS = 
Sets.newHashSet("allowLoadLocalInfile");
+
     @Override
     public void checkDatasourceParam(BaseDataSourceParamDTO 
baseDataSourceParamDTO) {
         checkHost(baseDataSourceParamDTO.getHost());
@@ -76,6 +81,9 @@ public abstract class AbstractDataSourceProcessor implements 
DataSourceProcessor
         if (MapUtils.isEmpty(other)) {
             return;
         }
+        if (!Sets.intersection(other.keySet(), 
POSSIBLE_MALICIOUS_KEYS).isEmpty()) {
+            throw new IllegalArgumentException("Other params include possible 
malicious keys.");
+        }
         boolean paramsCheck = other.entrySet().stream().allMatch(p -> 
PARAMS_PATTER.matcher(p.getValue()).matches());
         if (!paramsCheck) {
             throw new IllegalArgumentException("datasource other params 
illegal");
@@ -85,6 +93,7 @@ public abstract class AbstractDataSourceProcessor implements 
DataSourceProcessor
     @Override
     public String getDatasourceUniqueId(ConnectionParam connectionParam, 
DbType dbType) {
         BaseConnectionParam baseConnectionParam = (BaseConnectionParam) 
connectionParam;
-        return MessageFormat.format("{0}@{1}@{2}@{3}", dbType.getDescp(), 
baseConnectionParam.getUser(), 
PasswordUtils.encodePassword(baseConnectionParam.getPassword()), 
baseConnectionParam.getJdbcUrl());
+        return MessageFormat.format("{0}@{1}@{2}@{3}", dbType.getDescp(), 
baseConnectionParam.getUser(),
+                
PasswordUtils.encodePassword(baseConnectionParam.getPassword()), 
baseConnectionParam.getJdbcUrl());
     }
 }
diff --git 
a/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/test/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessorTest.java
 
b/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/test/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessorTest.java
index 63534dfc70..ad144cdf08 100644
--- 
a/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/test/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessorTest.java
+++ 
b/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/test/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessorTest.java
@@ -43,4 +43,12 @@ public class AbstractDataSourceProcessorTest {
         other.put("arg0", "%");
         doThrow(new 
IllegalArgumentException()).when(mockDataSourceProcessor).checkOther(other);
     }
-}
\ No newline at end of file
+
+    @Test
+    public void shouldNotIncludeMaliciousParams() {
+        AbstractDataSourceProcessor mockDataSourceProcessor = 
mock(AbstractDataSourceProcessor.class);
+        Map<String, String> other = new HashMap<>();
+        other.put("allowLoadLocalInfile", "whatever");
+        doThrow(new 
IllegalArgumentException()).when(mockDataSourceProcessor).checkOther(other);
+    }
+}

Reply via email to