xxjingcd opened a new issue, #13461: URL: https://github.com/apache/dolphinscheduler/issues/13461
### Search before asking - [X] I had searched in the [issues](https://github.com/apache/dolphinscheduler/issues?q=is%3Aissue) and found no similar issues. ### What happened For Security([CVE-2022-26884](https://www.cve.org/CVERecord?id=CVE-2022-26884)), DolphinScheduler add a restriction to access log files - the log file must be in a specified directory(named `dsHome`),which is configured by system property `DOLPHINSCHEDULER_WORKER_HOME` or `user.dir`; The verification method is to check Whether the prefix of a log file path matches the `dsHome`. When `dsHome` does not end with `/`,the security loophole reappear. For Example, the `dsHome` value is `/data1_1T/dolphinscheduler` and the log file path is `/data1_1T/dolphinscheduler_01/logs/tast01.log` - this log file path will be allowed access, Which is not in the `dsHome` directory; ### What you expected to happen The log file readed by users should be accurately restricted in the specified directory; ### How to reproduce For Example, the `dsHome` value is `/data1_1T/dolphinscheduler` and the log file path is `/data1_1T/dolphinscheduler_01/logs/tast01.log` - this log file path will be allowed access, Which is not in the `dsHome` directory; ### Anything else _No response_ ### Version 3.1.x ### Are you willing to submit PR? - [X] Yes I am willing to submit a PR! ### Code of Conduct - [X] I agree to follow this project's [Code of Conduct](https://www.apache.org/foundation/policies/conduct) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
