yuqi1129 commented on code in PR #7548:
URL: https://github.com/apache/gravitino/pull/7548#discussion_r2181983133
##########
catalogs/catalog-jdbc-common/src/main/java/org/apache/gravitino/catalog/jdbc/utils/DataSourceUtils.java:
##########
@@ -37,6 +39,26 @@ public class DataSourceUtils {
/** SQL statements for database connection pool testing. */
private static final String POOL_TEST_QUERY = "SELECT 1";
+ private static final List<String> unsafeMySQLParameters =
+ Arrays.asList(
+ "maxAllowedPacket",
+ "autoDeserialize",
+ "queryInterceptors",
+ "statementInterceptors",
+ "detectCustomCollations",
+ "allowloadlocalinfile",
+ "allowUrlInLocalInfile",
+ "allowLoadLocalInfileInPath");
Review Comment:
trustCertificateKeyStoreUrl
serverTimezone
characterEncoding=xxxx
useSSL=false
##########
catalogs/catalog-jdbc-common/src/main/java/org/apache/gravitino/catalog/jdbc/utils/DataSourceUtils.java:
##########
@@ -76,6 +100,61 @@ private static Properties getProperties(JdbcConfig
jdbcConfig) {
return properties;
}
+ private static String recursiveDecode(String url) {
+ String prev;
+ String decoded = url;
+ int max = 5;
+
+ do {
+ prev = decoded;
+ try {
+ decoded = java.net.URLDecoder.decode(prev, "UTF-8");
+ } catch (Exception e) {
+ throw new GravitinoRuntimeException("Unable to decode JDBC URL");
+ }
+ } while (!prev.equals(decoded) && --max > 0);
+
+ return decoded;
+ }
+
+ private static void checkUnsafeParameters(
+ String url, Map<String, String> config, List<String> unsafeParams,
String dbType) {
+
+ String lowerUrl = url.toLowerCase();
+
+ for (String param : unsafeParams) {
+ String lowerParam = param.toLowerCase();
+ if (lowerUrl.contains(lowerParam) || containsValueIgnoreCase(config,
param)) {
Review Comment:
If the URL is like `jdbc:mysql:192.169.1.2:3306/db?
allowloadlocalinfile=false`, we should not throw exception here.
##########
catalogs/catalog-jdbc-common/src/main/java/org/apache/gravitino/catalog/jdbc/utils/DataSourceUtils.java:
##########
@@ -76,6 +100,61 @@ private static Properties getProperties(JdbcConfig
jdbcConfig) {
return properties;
}
+ private static String recursiveDecode(String url) {
+ String prev;
+ String decoded = url;
+ int max = 5;
+
+ do {
+ prev = decoded;
+ try {
+ decoded = java.net.URLDecoder.decode(prev, "UTF-8");
+ } catch (Exception e) {
+ throw new GravitinoRuntimeException("Unable to decode JDBC URL");
+ }
+ } while (!prev.equals(decoded) && --max > 0);
+
+ return decoded;
+ }
+
+ private static void checkUnsafeParameters(
+ String url, Map<String, String> config, List<String> unsafeParams,
String dbType) {
+
+ String lowerUrl = url.toLowerCase();
+
+ for (String param : unsafeParams) {
+ String lowerParam = param.toLowerCase();
+ if (lowerUrl.contains(lowerParam) || containsValueIgnoreCase(config,
param)) {
+ throw new GravitinoRuntimeException(
+ "Unsafe %s parameter '%s' detected in JDBC URL", dbType, param);
+ }
+ }
+ }
+
+ public static void validateJdbcConfig(String driver, String url, Map<String,
String> all) {
+ String lowerUrl = url.toLowerCase();
+ String decodedUrl = recursiveDecode(lowerUrl);
+
+ if (driver != null) {
+ if (decodedUrl.startsWith("jdbc:mysql")) {
+ checkUnsafeParameters(decodedUrl, all, unsafeMySQLParameters, "MySQL");
+ } else if (decodedUrl.startsWith("jdbc:mariadb")) {
+ checkUnsafeParameters(decodedUrl, all, unsafeMySQLParameters,
"MariaDB");
+ } else if (decodedUrl.startsWith("jdbc:postgresql")) {
+ checkUnsafeParameters(decodedUrl, all, unsafePostgresParameters,
"PostgreSQL");
+ }
+ }
+ }
+
+ private static boolean containsValueIgnoreCase(Map<String, String> map,
String value) {
Review Comment:
What on earth is the method used for? Can you provide an example?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
