This is an automated email from the ASF dual-hosted git repository.
healchow pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/inlong.git
The following commit(s) were added to refs/heads/master by this push:
new 34835f8277 [INLONG-8129][Manager] Add encoding check to the MySQL JDBC
URL (#8130)
34835f8277 is described below
commit 34835f827771074345f42a9b1658d018f202516e
Author: Hao <[email protected]>
AuthorDate: Tue Jun 6 16:08:18 2023 +0800
[INLONG-8129][Manager] Add encoding check to the MySQL JDBC URL (#8130)
---
.../manager/pojo/sink/mysql/MySQLSinkDTO.java | 49 ++++++++++++++++++----
.../manager/pojo/sink/mysql/MySQLSinkDTOTest.java | 43 +++++++++++++------
2 files changed, 71 insertions(+), 21 deletions(-)
diff --git
a/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
b/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
index 1b63e046f9..8179d01f80 100644
---
a/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
+++
b/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
@@ -35,9 +35,12 @@ import org.slf4j.LoggerFactory;
import javax.validation.constraints.NotNull;
import java.net.URLDecoder;
+import java.util.ArrayList;
import java.util.HashMap;
+import java.util.HashSet;
import java.util.List;
import java.util.Map;
+import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@@ -53,13 +56,19 @@ public class MySQLSinkDTO {
/**
* The sensitive param may lead the attack.
*/
- private static final Map<String, String> SENSITIVE_PARAM_MAP = new
HashMap<String, String>() {
+ private static final Map<String, String> SENSITIVE_REPLACE_PARAM_MAP = new
HashMap<String, String>() {
{
- put("autoDeserialize=true", "autoDeserialize=false");
- put("allowLoadLocalInfile=true", "allowLoadLocalInfile=false");
- put("allowUrlInLocalInfile=true", "allowUrlInLocalInfile=false");
- put("allowLoadLocalInfileInPath=/", "allowLoadLocalInfileInPath=");
+ put("autoDeserialize", "false");
+ put("allowLoadLocalInfile", "false");
+ put("allowUrlInLocalInfile", "false");
+ }
+ };
+
+ private static final Set<String> SENSITIVE_REMOVE_PARAM_MAP = new
HashSet<String>() {
+
+ {
+ add("allowLoadLocalInfileInPath");
}
};
@@ -222,18 +231,40 @@ public class MySQLSinkDTO {
if (StringUtils.isBlank(url)) {
return url;
}
+
try {
String resultUrl = url;
while (resultUrl.contains(InlongConstants.PERCENT)) {
resultUrl = URLDecoder.decode(resultUrl, "UTF-8");
}
resultUrl = resultUrl.replaceAll(InlongConstants.BLANK, "");
- for (String sensitiveParam : SENSITIVE_PARAM_MAP.keySet()) {
- if (StringUtils.containsIgnoreCase(resultUrl, sensitiveParam))
{
- resultUrl = StringUtils.replaceIgnoreCase(resultUrl,
sensitiveParam,
- SENSITIVE_PARAM_MAP.get(sensitiveParam));
+
+ if (resultUrl.contains(InlongConstants.QUESTION_MARK)) {
+ StringBuilder builder = new StringBuilder();
+ builder.append(StringUtils.substringBefore(resultUrl,
InlongConstants.QUESTION_MARK));
+ builder.append(InlongConstants.QUESTION_MARK);
+
+ List<String> paramList = new ArrayList<>();
+ String queryString = StringUtils.substringAfter(resultUrl,
InlongConstants.QUESTION_MARK);
+ for (String param : queryString.split("&")) {
+ String key = StringUtils.substringBefore(param, "=");
+ String value = StringUtils.substringAfter(param, "=");
+
+ if (SENSITIVE_REMOVE_PARAM_MAP.contains(key)) {
+ continue;
+ }
+
+ if (SENSITIVE_REPLACE_PARAM_MAP.containsKey(key)) {
+ value = SENSITIVE_REPLACE_PARAM_MAP.get(key);
+ }
+ paramList.add(key + "=" + value);
}
+
+ String params = StringUtils.join(paramList, "&");
+ builder.append(params);
+ resultUrl = builder.toString();
}
+
LOGGER.info("the origin url [{}] was replaced to: [{}]", url,
resultUrl);
return resultUrl;
} catch (Exception e) {
diff --git
a/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
b/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
index d5763711cd..c07b25e65c 100644
---
a/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
+++
b/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
@@ -31,46 +31,65 @@ public class MySQLSinkDTOTest {
public void testFilterSensitive() throws Exception {
// the sensitive params no use url code
String originUrl = MySQLSinkDTO.filterSensitive(
- "autoDeserialize=TRue&allowLoadLocalInfile =
TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true");
+
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=TRue&allowLoadLocalInfile =
TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true");
Assertions.assertEquals(
-
"autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=&autoReconnect=true",
+
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&autoReconnect=true",
originUrl);
originUrl = MySQLSinkDTO.filterSensitive(
- "autoReconnect=true&autoDeserialize =
TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
+
"jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize =
TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
Assertions.assertEquals(
-
"autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+
"jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false",
originUrl);
originUrl = MySQLSinkDTO.filterSensitive(
- "autoDeserialize=TRue&allowLoadLocalInfile =
TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
+
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=TRue&allowLoadLocalInfile =
TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
Assertions.assertEquals(
-
"autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false",
+ originUrl);
+ originUrl = MySQLSinkDTO.filterSensitive(
+
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=Yes&allowLoadLocalInfile =
Yes&autoReconnect=true&allowUrlInLocalInfile=YEs&allowLoadLocalInfileInPath=/");
+ Assertions.assertEquals(
+
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false",
originUrl);
// the sensitive params use url code
originUrl = MySQLSinkDTO.filterSensitive(
URLEncoder.encode(
- "autoDeserialize=TRue&allowLoadLocalInfile =
TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true",
+
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=TRue&allowLoadLocalInfile =
TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true",
"UTF-8"));
Assertions.assertEquals(
-
"autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=&autoReconnect=true",
+
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&autoReconnect=true",
originUrl);
originUrl = MySQLSinkDTO.filterSensitive(
URLEncoder.encode(
- "autoReconnect=true&autoDeserialize =
TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
+
"jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize =
TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
"UTF-8"));
Assertions.assertEquals(
-
"autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+
"jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false",
originUrl);
originUrl = MySQLSinkDTO.filterSensitive(
URLEncoder.encode(
- "autoDeserialize=TRue&allowLoadLocalInfile =
TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
+
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=TRue&allowLoadLocalInfile =
TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
"UTF-8"));
Assertions.assertEquals(
-
"autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false&allowLoadLocalInfileInPath=",
+
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false",
+ originUrl);
+
+ originUrl = MySQLSinkDTO.filterSensitive(
+ URLEncoder.encode(
+
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=Yes&allowLoadLocalInfile =
yes&autoReconnect=true&allowUrlInLocalInfile=YES&allowLoadLocalInfileInPath=/",
+ "UTF-8"));
+ Assertions.assertEquals(
+
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false",
+ originUrl);
+
+ originUrl = MySQLSinkDTO.filterSensitive(
+
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=%59%65%73&allowLoadLocalInfile =
yes&allowUrlInLocalInfil%65+=%74%72%75%45&allowLoadLocalInfileInPath=%2F");
+ Assertions.assertEquals(
+
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false",
originUrl);
}
