[inlong] branch master updated: [INLONG-7213][Manager] Add encoding check to the MySQL JDBC URL (#7214)

Tue, 10 Jan 2023 21:13:37 -0800 

This is an automated email from the ASF dual-hosted git repository.

dockerzhang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/inlong.git


The following commit(s) were added to refs/heads/master by this push:
     new 9008b6dcb [INLONG-7213][Manager] Add encoding check to the MySQL JDBC 
URL (#7214)
9008b6dcb is described below

commit 9008b6dcb8cc88bbcfed4872b2227abfa929982b
Author: fuweng11 <[email protected]>
AuthorDate: Wed Jan 11 13:13:22 2023 +0800

    [INLONG-7213][Manager] Add encoding check to the MySQL JDBC URL (#7214)
---
 .../manager/pojo/sink/mysql/MySQLSinkDTO.java      | 34 ++++++++++----
 .../manager/pojo/sink/mysql/MySQLSinkDTOTest.java  | 53 ++++++++++++++++++----
 2 files changed, 68 insertions(+), 19 deletions(-)

diff --git 
a/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
 
b/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
index 6363a8ec1..ca6752a6a 100644
--- 
a/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
+++ 
b/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
@@ -32,6 +32,8 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import javax.validation.constraints.NotNull;
+import java.net.URLDecoder;
+import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 
@@ -47,8 +49,16 @@ public class MySQLSinkDTO {
     /**
      * The sensitive param may lead the attack.
      */
-    private static final String SENSITIVE_PARAM_TRUE = "autoDeserialize=true";
-    private static final String SENSITIVE_PARAM_FALSE = 
"autoDeserialize=false";
+    private static final Map<String, String> SENSITIVE_PARAM_MAP = new 
HashMap<String, String>() {
+
+        {
+            put("autoDeserialize=true", "autoDeserialize=false");
+            put("allowLoadLocalInfile=true", "allowLoadLocalInfile=false");
+            put("allowUrlInLocalInfile=true", "allowUrlInLocalInfile=false");
+            put("allowLoadLocalInfileInPath=/", "allowLoadLocalInfileInPath=");
+        }
+    };
+
     private static final Logger LOGGER = 
LoggerFactory.getLogger(MySQLSinkDTO.class);
 
     @ApiModelProperty("MySQL JDBC URL, such as 
jdbc:mysql://host:port/database")
@@ -178,14 +188,20 @@ public class MySQLSinkDTO {
         if (StringUtils.isBlank(url)) {
             return url;
         }
-
-        String resultUrl = url;
-        if (StringUtils.containsIgnoreCase(url, SENSITIVE_PARAM_TRUE)) {
-            resultUrl = StringUtils.replaceIgnoreCase(url, 
SENSITIVE_PARAM_TRUE, SENSITIVE_PARAM_FALSE);
+        try {
+            String resultUrl = URLDecoder.decode(url, "UTF-8");
+            for (String sensitiveParam : SENSITIVE_PARAM_MAP.keySet()) {
+                if (StringUtils.containsIgnoreCase(resultUrl, sensitiveParam)) 
{
+                    resultUrl = StringUtils.replaceIgnoreCase(resultUrl, 
sensitiveParam,
+                            SENSITIVE_PARAM_MAP.get(sensitiveParam));
+                }
+            }
+            LOGGER.info("the origin url [{}] was replaced to: [{}]", url, 
resultUrl);
+            return resultUrl;
+        } catch (Exception e) {
+            throw new BusinessException(ErrorCodeEnum.SINK_INFO_INCORRECT,
+                    ErrorCodeEnum.SINK_INFO_INCORRECT.getMessage() + ": " + 
e.getMessage());
         }
-
-        LOGGER.debug("the origin url [{}] was replaced to: [{}]", url, 
resultUrl);
-        return resultUrl;
     }
 
 }
diff --git 
a/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
 
b/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
index 82d6129b4..79f357daf 100644
--- 
a/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
+++ 
b/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
@@ -20,25 +20,58 @@ package org.apache.inlong.manager.pojo.sink.mysql;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
 
+import java.net.URLEncoder;
+
 /**
  * Test for {@link MySQLSinkDTO}
  */
 public class MySQLSinkDTOTest {
 
     @Test
-    public void testFilterSensitive() {
-        // the sensitive params at the first
-        String originUrl = 
MySQLSinkDTO.filterSensitive("autoDeserialize=TRue&autoReconnect=true");
-        Assertions.assertEquals("autoDeserialize=false&autoReconnect=true", 
originUrl);
+    public void testFilterSensitive() throws Exception {
+        // the sensitive params no use url code
+        String originUrl = MySQLSinkDTO.filterSensitive(
+                
"autoDeserialize=TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true");
+        Assertions.assertEquals(
+                
"autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=&autoReconnect=true",
+                originUrl);
+
+        originUrl = MySQLSinkDTO.filterSensitive(
+                
"autoReconnect=true&autoDeserialize=TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
+        Assertions.assertEquals(
+                
"autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+                originUrl);
+
+        originUrl = MySQLSinkDTO.filterSensitive(
+                
"autoDeserialize=TRue&allowLoadLocalInfile=TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
+        Assertions.assertEquals(
+                
"autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+                originUrl);
+
+        // the sensitive params use url code
+        originUrl = MySQLSinkDTO.filterSensitive(
+                URLEncoder.encode(
+                        
"autoDeserialize=TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true",
+                        "UTF-8"));
+        Assertions.assertEquals(
+                
"autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=&autoReconnect=true",
+                originUrl);
 
-        // the sensitive params at the end
-        originUrl = 
MySQLSinkDTO.filterSensitive("autoReconnect=true&autoDeserialize=trUE");
-        Assertions.assertEquals("autoReconnect=true&autoDeserialize=false", 
originUrl);
+        originUrl = MySQLSinkDTO.filterSensitive(
+                URLEncoder.encode(
+                        
"autoReconnect=true&autoDeserialize=TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
+                        "UTF-8"));
+        Assertions.assertEquals(
+                
"autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+                originUrl);
 
-        // the sensitive params in the middle
         originUrl = MySQLSinkDTO.filterSensitive(
-                "useSSL=false&autoDeserialize=TRUE&autoReconnect=true");
-        
Assertions.assertEquals("useSSL=false&autoDeserialize=false&autoReconnect=true",
 originUrl);
+                URLEncoder.encode(
+                        
"autoDeserialize=TRue&allowLoadLocalInfile=TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
+                        "UTF-8"));
+        Assertions.assertEquals(
+                
"autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+                originUrl);
     }
 
 }

Reply via email to