sunrisefromdark commented on code in PR #9012:
URL: https://github.com/apache/inlong/pull/9012#discussion_r1349501947
##########
inlong-manager/manager-service/src/main/java/org/apache/inlong/manager/service/resource/sink/ck/ClickHouseJdbcUtils.java:
##########
@@ -39,37 +39,104 @@
public class ClickHouseJdbcUtils {
private static final String CLICKHOUSE_DRIVER_CLASS =
"ru.yandex.clickhouse.ClickHouseDriver";
- private static final String METADATA_TYPE = "TABLE";
private static final String COLUMN_LABEL = "TABLE_NAME";
private static final String CLICKHOUSE_JDBC_PREFIX = "jdbc:clickhouse";
private static final Logger LOG =
LoggerFactory.getLogger(ClickHouseJdbcUtils.class);
/**
- * Get ClickHouse connection from clickhouse url and user
+ * Get ClickHouse connection from ClickHouse URL and user.
+ *
+ * @param url JDBC URL, such as jdbc:clickhouse://host:port/database
+ * @param user Username for JDBC URL
+ * @param password User password
+ * @return {@link Connection}
+ * @throws Exception on get connection error
*/
public static Connection getConnection(String url, String user, String
password) throws Exception {
- if (StringUtils.isBlank(url) ||
!url.startsWith(CLICKHOUSE_JDBC_PREFIX)) {
- throw new Exception("ClickHouse server URL was invalid, it should
start with jdbc:clickhouse");
+ // Non-empty validation
+ validateInput(url, user, password);
+ validateUrlFormat(url);
+ String host = extractHostFromUrl(url);
+ String port = extractPortFromUrl(url);
+ validateHost(host);
+ validatePort(port);
+
+ Connection conn = establishConnection(url, user, password);
+ return conn;
+ }
+
+ private static void validateUrlFormat(String url) throws Exception {
+ if (!url.startsWith(CLICKHOUSE_JDBC_PREFIX)) {
+ throw new Exception("ClickHouse JDBC URL is invalid, it should
start with " + CLICKHOUSE_JDBC_PREFIX);
}
+
+ String[] hostPortParts =
url.substring(CLICKHOUSE_JDBC_PREFIX.length()).split("/");
+ if (hostPortParts.length < 1) {
+ throw new Exception("Invalid ClickHouse JDBC URL format");
+ }
+ }
+
+ private static String extractHostFromUrl(String url) throws Exception {
+ String hostPortPart =
url.substring(CLICKHOUSE_JDBC_PREFIX.length()).split("/")[0];
+ String[] hostPortSplit = hostPortPart.split(":");
+ if (hostPortSplit.length != 2) {
+ throw new Exception("Invalid host:port format in ClickHouse JDBC
URL");
+ }
+ return hostPortSplit[0];
+ }
+
+ private static String extractPortFromUrl(String url) throws Exception {
+ String hostPortPart =
url.substring(CLICKHOUSE_JDBC_PREFIX.length()).split("/")[0];
+ String[] hostPortSplit = hostPortPart.split(":");
+ if (hostPortSplit.length != 2) {
+ throw new Exception("Invalid host:port format in ClickHouse JDBC
URL");
+ }
+ return hostPortSplit[1];
+ }
+
+ private static void validateHost(String host) throws Exception {
+ String allowedHostsPattern =
"^(localhost|192\\.168\\.1\\.\\d{1,3}|10\\.0\\.0\\.\\d{1,3})$";
Review Comment:
Preventing malicious host connections: By limiting the host range,
applications can be prevented from inadvertently connecting to untrusted or
malicious hosts. This helps prevent some network attacks, such as server-side
request forgery. Localhost, IP addresses starting with 192.168.1 and 10.0.0 are
the more commonly used IP address ranges, so I chose them. If these
restrictions conflict with the business logic, let me know and I'll change them
immediately.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
