This is an automated email from the ASF dual-hosted git repository.
healchow pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/inlong.git
The following commit(s) were added to refs/heads/master by this push:
new 46c4e96a84 [INLONG-8603][Manager] Fix the vulnerability to security
attacks for the MySQL JDBC URL (#8604)
46c4e96a84 is described below
commit 46c4e96a84839bd540f47c659c9d8576e393da02
Author: fuweng11 <[email protected]>
AuthorDate: Mon Jul 31 12:42:14 2023 +0800
[INLONG-8603][Manager] Fix the vulnerability to security attacks for the
MySQL JDBC URL (#8604)
---
.../inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java | 6 ++----
.../manager/pojo/sink/mysql/MySQLSinkDTOTest.java | 18 +++++++++---------
2 files changed, 11 insertions(+), 13 deletions(-)
diff --git
a/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
b/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
index 13c9688a53..b4b485d629 100644
---
a/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
+++
b/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
@@ -245,15 +245,13 @@ public class MySQLSinkDTO {
String key = StringUtils.substringBefore(param, "=");
String value = StringUtils.substringAfter(param, "=");
- if (SENSITIVE_REMOVE_PARAM_MAP.contains(key)) {
+ if (SENSITIVE_REMOVE_PARAM_MAP.contains(key) ||
SENSITIVE_REPLACE_PARAM_MAP.containsKey(key)) {
continue;
}
- if (SENSITIVE_REPLACE_PARAM_MAP.containsKey(key)) {
- value = SENSITIVE_REPLACE_PARAM_MAP.get(key);
- }
paramList.add(key + "=" + value);
}
+ SENSITIVE_REPLACE_PARAM_MAP.forEach((key, value) ->
paramList.add(key + "=" + value));
String params = StringUtils.join(paramList, "&");
builder.append(params);
diff --git
a/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
b/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
index c07b25e65c..fe6d4f7dd1 100644
---
a/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
+++
b/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
@@ -33,24 +33,24 @@ public class MySQLSinkDTOTest {
String originUrl = MySQLSinkDTO.filterSensitive(
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=TRue&allowLoadLocalInfile =
TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true");
Assertions.assertEquals(
-
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&autoReconnect=true",
+
"jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
originUrl);
originUrl = MySQLSinkDTO.filterSensitive(
"jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize =
TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
Assertions.assertEquals(
-
"jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false",
+
"jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
originUrl);
originUrl = MySQLSinkDTO.filterSensitive(
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=TRue&allowLoadLocalInfile =
TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/");
Assertions.assertEquals(
-
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false",
+
"jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
originUrl);
originUrl = MySQLSinkDTO.filterSensitive(
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=Yes&allowLoadLocalInfile =
Yes&autoReconnect=true&allowUrlInLocalInfile=YEs&allowLoadLocalInfileInPath=/");
Assertions.assertEquals(
-
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false",
+
"jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
originUrl);
// the sensitive params use url code
@@ -59,7 +59,7 @@ public class MySQLSinkDTOTest {
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=TRue&allowLoadLocalInfile =
TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/&autoReconnect=true",
"UTF-8"));
Assertions.assertEquals(
-
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false&autoReconnect=true",
+
"jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
originUrl);
originUrl = MySQLSinkDTO.filterSensitive(
@@ -67,7 +67,7 @@ public class MySQLSinkDTOTest {
"jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize =
TRue&allowLoadLocalInfile=TRue&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
"UTF-8"));
Assertions.assertEquals(
-
"jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false",
+
"jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
originUrl);
originUrl = MySQLSinkDTO.filterSensitive(
@@ -75,7 +75,7 @@ public class MySQLSinkDTOTest {
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=TRue&allowLoadLocalInfile =
TRue&autoReconnect=true&allowUrlInLocalInfile=TRue&allowLoadLocalInfileInPath=/",
"UTF-8"));
Assertions.assertEquals(
-
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false",
+
"jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
originUrl);
originUrl = MySQLSinkDTO.filterSensitive(
@@ -83,13 +83,13 @@ public class MySQLSinkDTOTest {
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=Yes&allowLoadLocalInfile =
yes&autoReconnect=true&allowUrlInLocalInfile=YES&allowLoadLocalInfileInPath=/",
"UTF-8"));
Assertions.assertEquals(
-
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&autoReconnect=true&allowUrlInLocalInfile=false",
+
"jdbc:mysql://127.0.0.1:3306?autoReconnect=true&autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
originUrl);
originUrl = MySQLSinkDTO.filterSensitive(
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=%59%65%73&allowLoadLocalInfile =
yes&allowUrlInLocalInfil%65+=%74%72%75%45&allowLoadLocalInfileInPath=%2F");
Assertions.assertEquals(
-
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowLoadLocalInfile=false&allowUrlInLocalInfile=false",
+
"jdbc:mysql://127.0.0.1:3306?autoDeserialize=false&allowUrlInLocalInfile=false&allowLoadLocalInfile=false",
originUrl);
}
