This is an automated email from the ASF dual-hosted git repository.
casion pushed a commit to branch dev-1.3.1
in repository https://gitbox.apache.org/repos/asf/incubator-linkis.git
The following commit(s) were added to refs/heads/dev-1.3.1 by this push:
new b9a13c52e [ISSUE-3795] Handle mysql connection parameters (#3826)
b9a13c52e is described below
commit b9a13c52e1fc6f370727d6ab0e69f289dd603211
Author: aiceflower <[email protected]>
AuthorDate: Tue Nov 15 14:14:45 2022 +0800
[ISSUE-3795] Handle mysql connection parameters (#3826)
---
.../query/service/mysql/SqlConnection.java | 39 ++++++++++++++++++++--
1 file changed, 36 insertions(+), 3 deletions(-)
diff --git
a/linkis-public-enhancements/linkis-datasource/linkis-metadata-query/service/jdbc/src/main/java/org/apache/linkis/metadata/query/service/mysql/SqlConnection.java
b/linkis-public-enhancements/linkis-datasource/linkis-metadata-query/service/jdbc/src/main/java/org/apache/linkis/metadata/query/service/mysql/SqlConnection.java
index ddf2f5baf..9f3aa0f8c 100644
---
a/linkis-public-enhancements/linkis-datasource/linkis-metadata-query/service/jdbc/src/main/java/org/apache/linkis/metadata/query/service/mysql/SqlConnection.java
+++
b/linkis-public-enhancements/linkis-datasource/linkis-metadata-query/service/jdbc/src/main/java/org/apache/linkis/metadata/query/service/mysql/SqlConnection.java
@@ -20,12 +20,12 @@ package org.apache.linkis.metadata.query.service.mysql;
import org.apache.linkis.common.conf.CommonVars;
import org.apache.linkis.metadata.query.common.domain.MetaColumnInfo;
+import org.springframework.util.CollectionUtils;
+
import java.io.Closeable;
import java.io.IOException;
import java.sql.*;
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
+import java.util.*;
import java.util.stream.Collectors;
import org.slf4j.Logger;
@@ -59,6 +59,8 @@ public class SqlConnection implements Closeable {
String database,
Map<String, Object> extraParams)
throws ClassNotFoundException, SQLException {
+ // Handle mysql security vulnerabilities
+ validateParams(extraParams);
connectMessage = new ConnectMessage(host, port, username, password,
extraParams);
conn = getDBConnection(connectMessage, database);
// Try to create statement
@@ -66,6 +68,37 @@ public class SqlConnection implements Closeable {
statement.close();
}
+ /**
+ * Handle mysql security vulnerabilities
+ *
+ * @param extraParams
+ */
+ private void validateParams(Map<String, Object> extraParams) {
+ if (CollectionUtils.isEmpty(extraParams)) {
+ return;
+ }
+
+ // Delete suspected vulnerability parameters
+ Iterator<Map.Entry<String, Object>> iterator =
extraParams.entrySet().iterator();
+ while (iterator.hasNext()) {
+ Map.Entry<String, Object> entry = iterator.next();
+ String key = entry.getKey();
+ if ("allowLoadLocalInfile".equalsIgnoreCase(key)
+ || "autoDeserialize".equalsIgnoreCase(key)
+ || "allowLocalInfile".equalsIgnoreCase(key)
+ || "allowUrlInLocalInfile".equalsIgnoreCase(key)) {
+ extraParams.remove(key);
+ iterator.remove();
+ }
+ }
+
+ // Set all vulnerability parameters to false
+ extraParams.put("allowLoadLocalInfile", "false");
+ extraParams.put("autoDeserialize", "false");
+ extraParams.put("allowLocalInfile", "false");
+ extraParams.put("allowUrlInLocalInfile", "false");
+ }
+
public List<String> getAllDatabases() throws SQLException {
List<String> dataBaseName = new ArrayList<>();
Statement stmt = null;
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
