This is an automated email from the ASF dual-hosted git repository.
dockerzhang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/inlong.git
The following commit(s) were added to refs/heads/master by this push:
new 710995af1a [INLONG-12133][Manager] Fix the security vulnerability in
/api/cluster/testConnection (#12134)
710995af1a is described below
commit 710995af1a122fdcc0b1a01110006fc2cab596e2
Author: fuweng11 <[email protected]>
AuthorDate: Wed Jun 3 19:28:49 2026 +0800
[INLONG-12133][Manager] Fix the security vulnerability in
/api/cluster/testConnection (#12134)
Co-authored-by: wakefu <[email protected]>
---
.../service/cluster/InlongClusterServiceImpl.java | 23 ++++++++++++++++++++++
.../web/controller/InlongClusterController.java | 2 ++
2 files changed, 25 insertions(+)
diff --git
a/inlong-manager/manager-service/src/main/java/org/apache/inlong/manager/service/cluster/InlongClusterServiceImpl.java
b/inlong-manager/manager-service/src/main/java/org/apache/inlong/manager/service/cluster/InlongClusterServiceImpl.java
index 8002ae77e6..5985724f2b 100644
---
a/inlong-manager/manager-service/src/main/java/org/apache/inlong/manager/service/cluster/InlongClusterServiceImpl.java
+++
b/inlong-manager/manager-service/src/main/java/org/apache/inlong/manager/service/cluster/InlongClusterServiceImpl.java
@@ -37,6 +37,7 @@ import org.apache.inlong.manager.common.enums.NodeStatus;
import org.apache.inlong.manager.common.exceptions.BusinessException;
import org.apache.inlong.manager.common.util.CommonBeanUtils;
import org.apache.inlong.manager.common.util.Preconditions;
+import org.apache.inlong.manager.common.util.UrlVerificationUtils;
import org.apache.inlong.manager.dao.entity.InlongClusterEntity;
import org.apache.inlong.manager.dao.entity.InlongClusterNodeEntity;
import org.apache.inlong.manager.dao.entity.InlongClusterTagEntity;
@@ -940,6 +941,17 @@ public class InlongClusterServiceImpl implements
InlongClusterService {
@Override
public Boolean testSSHConnection(ClusterNodeRequest request) {
+ // Validate IP to prevent SSRF attacks
+ String ip = request.getIp();
+ if (StringUtils.isNotBlank(ip)) {
+ try {
+ UrlVerificationUtils.validateHostNotInternal(ip);
+ } catch (Exception e) {
+ throw new BusinessException(ErrorCodeEnum.INVALID_PARAMETER,
+ "SSRF protection: " + e.getMessage());
+ }
+ }
+
AgentClusterNodeRequest nodeRequest = (AgentClusterNodeRequest)
request;
try {
CommandResult commandResult =
commandExecutor.execRemote(nodeRequest, "ls");
@@ -1271,6 +1283,17 @@ public class InlongClusterServiceImpl implements
InlongClusterService {
public Boolean testConnection(ClusterRequest request) {
LOGGER.info("begin test connection for: {}", request);
+ // Validate URL to prevent SSRF attacks
+ String url = request.getUrl();
+ if (StringUtils.isNotBlank(url)) {
+ try {
+ UrlVerificationUtils.validateUrlNotInternal(url);
+ } catch (Exception e) {
+ throw new BusinessException(ErrorCodeEnum.INVALID_PARAMETER,
+ "SSRF protection: " + e.getMessage());
+ }
+ }
+
// according to the data node type, test connection
InlongClusterOperator clusterOperator =
clusterOperatorFactory.getInstance(request.getType());
Boolean result = clusterOperator.testConnection(request);
diff --git
a/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/controller/InlongClusterController.java
b/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/controller/InlongClusterController.java
index 025c61f01f..23f2f0d7fd 100644
---
a/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/controller/InlongClusterController.java
+++
b/inlong-manager/manager-web/src/main/java/org/apache/inlong/manager/web/controller/InlongClusterController.java
@@ -305,12 +305,14 @@ public class InlongClusterController {
@PostMapping("/cluster/node/testSSHConnection")
@ApiOperation(value = "Test SSH connection for inlong cluster node")
+ @RequiresRoles(logical = Logical.OR, value = {UserRoleCode.INLONG_ADMIN,
UserRoleCode.TENANT_ADMIN})
public Response<Boolean> testSSHConnection(@RequestBody ClusterNodeRequest
request) {
return Response.success(clusterService.testSSHConnection(request));
}
@PostMapping("/cluster/testConnection")
@ApiOperation(value = "Test connection for inlong cluster")
+ @RequiresRoles(logical = Logical.OR, value = {UserRoleCode.INLONG_ADMIN,
UserRoleCode.TENANT_ADMIN})
public Response<Boolean> testConnection(@Validated @RequestBody
ClusterRequest request) {
return Response.success(clusterService.testConnection(request));
}