This is an automated email from the ASF dual-hosted git repository.
wanghailin pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/seatunnel-web.git
The following commit(s) were added to refs/heads/main by this push:
new ee307730 [Hotfix] Fix arbitrary file readvulnerability on mysql jdbc
(#166)
ee307730 is described below
commit ee3077305695c42b145130b7cb6546fe2616256b
Author: hailin0 <[email protected]>
AuthorDate: Wed Jun 12 13:44:30 2024 +0800
[Hotfix] Fix arbitrary file readvulnerability on mysql jdbc (#166)
* [Hotfix] Fix arbitrary file readvulnerability on mysql jdbc
link
https://github.com/apache/security-site/commit/5a193b7e29dc616d019784ca9fbf1671f3f0b4d2
* fix
---
.../plugin/mysql/jdbc/MysqlJdbcDataSourceChannel.java | 13 +++++++++----
tools/dependencies/known-dependencies.txt | 1 +
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git
a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-mysql/src/main/java/org/apache/seatunnel/datasource/plugin/mysql/jdbc/MysqlJdbcDataSourceChannel.java
b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-mysql/src/main/java/org/apache/seatunnel/datasource/plugin/mysql/jdbc/MysqlJdbcDataSourceChannel.java
index 78a7f62e..24e863b2 100644
---
a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-mysql/src/main/java/org/apache/seatunnel/datasource/plugin/mysql/jdbc/MysqlJdbcDataSourceChannel.java
+++
b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-mysql/src/main/java/org/apache/seatunnel/datasource/plugin/mysql/jdbc/MysqlJdbcDataSourceChannel.java
@@ -36,6 +36,7 @@ import java.sql.SQLException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
+import java.util.Properties;
import java.util.function.Function;
import java.util.stream.Collectors;
@@ -187,11 +188,15 @@ public class MysqlJdbcDataSourceChannel implements
DataSourceChannel {
String url =
JdbcUtils.replaceDatabase(
requestParams.get(MysqlOptionRule.URL.key()),
databaseName);
+
+ Properties info = new java.util.Properties();
+ info.put("autoDeserialize", "false");
+ info.put("allowLoadLocalInfile", "false");
+ info.put("allowLoadLocalInfileInPath", "");
if (requestParams.containsKey(MysqlOptionRule.USER.key())) {
- String username = requestParams.get(MysqlOptionRule.USER.key());
- String password =
requestParams.get(MysqlOptionRule.PASSWORD.key());
- return DriverManager.getConnection(url, username, password);
+ info.put("user", requestParams.get(MysqlOptionRule.USER.key()));
+ info.put("password",
requestParams.get(MysqlOptionRule.PASSWORD.key()));
}
- return DriverManager.getConnection(url);
+ return DriverManager.getConnection(url, info);
}
}
diff --git a/tools/dependencies/known-dependencies.txt
b/tools/dependencies/known-dependencies.txt
index af5428be..1387d780 100644
--- a/tools/dependencies/known-dependencies.txt
+++ b/tools/dependencies/known-dependencies.txt
@@ -5,6 +5,7 @@ commons-collections4-4.4.jar
commons-codec-1.13.jar
commons-io-2.11.0.jar
config-1.3.3.jar
+db2jcc-db2jcc4.jar
gson-2.8.6.jar
guava-19.0.jar
hibernate-validator-6.2.2.Final.jar
