Re: [PR] [#7547] Validate JDBC [gravitino]

Thu, 03 Jul 2025 01:08:22 -0700 


yuqi1129 commented on code in PR #7548:
URL: https://github.com/apache/gravitino/pull/7548#discussion_r2182141112


##########
catalogs/catalog-jdbc-common/src/main/java/org/apache/gravitino/catalog/jdbc/utils/DataSourceUtils.java:
##########
@@ -76,6 +100,61 @@ private static Properties getProperties(JdbcConfig 
jdbcConfig) {
     return properties;
   }
 
+  private static String recursiveDecode(String url) {
+    String prev;
+    String decoded = url;
+    int max = 5;
+
+    do {
+      prev = decoded;
+      try {
+        decoded = java.net.URLDecoder.decode(prev, "UTF-8");
+      } catch (Exception e) {
+        throw new GravitinoRuntimeException("Unable to decode JDBC URL");
+      }
+    } while (!prev.equals(decoded) && --max > 0);
+
+    return decoded;
+  }
+
+  private static void checkUnsafeParameters(
+      String url, Map<String, String> config, List<String> unsafeParams, 
String dbType) {
+
+    String lowerUrl = url.toLowerCase();
+
+    for (String param : unsafeParams) {
+      String lowerParam = param.toLowerCase();
+      if (lowerUrl.contains(lowerParam) || containsValueIgnoreCase(config, 
param)) {
+        throw new GravitinoRuntimeException(
+            "Unsafe %s parameter '%s' detected in JDBC URL", dbType, param);
+      }
+    }
+  }
+
+  public static void validateJdbcConfig(String driver, String url, Map<String, 
String> all) {
+    String lowerUrl = url.toLowerCase();
+    String decodedUrl = recursiveDecode(lowerUrl);
+
+    if (driver != null) {
+      if (decodedUrl.startsWith("jdbc:mysql")) {
+        checkUnsafeParameters(decodedUrl, all, unsafeMySQLParameters, "MySQL");
+      } else if (decodedUrl.startsWith("jdbc:mariadb")) {
+        checkUnsafeParameters(decodedUrl, all, unsafeMySQLParameters, 
"MariaDB");
+      } else if (decodedUrl.startsWith("jdbc:postgresql")) {
+        checkUnsafeParameters(decodedUrl, all, unsafePostgresParameters, 
"PostgreSQL");
+      }
+    }
+  }
+
+  private static boolean containsValueIgnoreCase(Map<String, String> map, 
String value) {

Review Comment:
   The value of parameter `map` may be as follows:
   ```
   jdbc-user  -> com.mysql.driver
   jdbc-user  -> admin
   jdbc-password -> xxxxx
   jdbc-url    -> jdbc:mysql:xxxxxx:3306/db?xxxxx=xxx&xxx=xxx
   key1 -> value1
   key2 -> value
   ....
   ```
   
   Will you throw an exception if there exist values that contain unsafe 
configurations? for example 
   
   ```
   key1 -> allowUrlInLocalInfile
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to