This is an automated email from the ASF dual-hosted git repository.
peacewong pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/linkis.git
The following commit(s) were added to refs/heads/master by this push:
new 9560905a6 Add security check for jdbc url in SecurityUtils.java (#5164)
9560905a6 is described below
commit 9560905a60b885d0dc41ff506a244342989398e7
Author: Le1a <[email protected]>
AuthorDate: Wed Sep 4 14:47:36 2024 +0800
Add security check for jdbc url in SecurityUtils.java (#5164)
* Add security check for jdbc url in SecurityUtils.java
* Update SecurityUtils.java
* Update SecurityUtils.java
---
.../apache/linkis/common/utils/SecurityUtils.java | 36 ++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git
a/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
b/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
index af163a649..c08d16b52 100644
---
a/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
+++
b/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
@@ -79,6 +79,9 @@ public abstract class SecurityUtils {
private static final String JDBC_MYSQL_PROTOCOL = "jdbc:mysql";
+ private static final String BLACKLIST_REGEX =
+
"autodeserialize|allowloadlocalinfile|allowurlinlocalinfile|allowloadlocalinfileinpath";
+
/**
* check mysql connection params
*
@@ -118,6 +121,10 @@ public abstract class SecurityUtils {
// 3. Check params. Mainly vulnerability parameters. Note the url encoding
checkParams(extraParams);
+
+ // 4. Check url security, especially for the possibility of malicious
characters appearing on
+ // the host
+ checkUrlIsSafe(url);
}
/** @param url */
@@ -283,6 +290,35 @@ public abstract class SecurityUtils {
}
}
+ /**
+ * check url is safe
+ *
+ * @param url
+ */
+ public static void checkUrlIsSafe(String url) {
+ try {
+ String lowercaseURL = url.toLowerCase();
+
+ Pattern pattern = Pattern.compile(BLACKLIST_REGEX);
+ Matcher matcher = pattern.matcher(lowercaseURL);
+
+ StringBuilder foundKeywords = new StringBuilder();
+ while (matcher.find()) {
+ if (foundKeywords.length() > 0) {
+ foundKeywords.append(", ");
+ }
+ foundKeywords.append(matcher.group());
+ }
+
+ if (foundKeywords.length() > 0) {
+ throw new LinkisSecurityException(
+ 35000, "url contains blacklisted characters: " + foundKeywords);
+ }
+ } catch (Exception e) {
+ throw new LinkisSecurityException(35000, "error occurred during url
security check: " + e);
+ }
+ }
+
private static Map<String, Object> parseMysqlUrlParamsToMap(String
paramsUrl) {
if (StringUtils.isBlank(paramsUrl)) {
return new LinkedHashMap<>();
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
