(seatunnel-web) branch main updated: [Hotfix] Fix arbitrary file readvulnerability on mysql cdc (#167)

Tue, 11 Jun 2024 22:52:03 -0700 

This is an automated email from the ASF dual-hosted git repository.

fanjia pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/seatunnel-web.git


The following commit(s) were added to refs/heads/main by this push:
     new 7392918d [Hotfix] Fix arbitrary file readvulnerability on mysql cdc 
(#167)
7392918d is described below

commit 7392918d9ce7a4c686539cf44e2840aed09670ba
Author: hailin0 <[email protected]>
AuthorDate: Wed Jun 12 13:51:37 2024 +0800

    [Hotfix] Fix arbitrary file readvulnerability on mysql cdc (#167)
---
 .../plugin/cdc/mysql/MysqlCDCDataSourceChannel.java         | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git 
a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-mysql-cdc/src/main/java/org/apache/seatunnel/datasource/plugin/cdc/mysql/MysqlCDCDataSourceChannel.java
 
b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-mysql-cdc/src/main/java/org/apache/seatunnel/datasource/plugin/cdc/mysql/MysqlCDCDataSourceChannel.java
index 1cd99d36..e4a00fbd 100644
--- 
a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-mysql-cdc/src/main/java/org/apache/seatunnel/datasource/plugin/cdc/mysql/MysqlCDCDataSourceChannel.java
+++ 
b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-mysql-cdc/src/main/java/org/apache/seatunnel/datasource/plugin/cdc/mysql/MysqlCDCDataSourceChannel.java
@@ -38,6 +38,7 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Properties;
 import java.util.Set;
 
 public class MysqlCDCDataSourceChannel implements DataSourceChannel {
@@ -154,13 +155,17 @@ public class MysqlCDCDataSourceChannel implements 
DataSourceChannel {
             throw new DataSourcePluginException("Jdbc url is null");
         }
         String url = requestParams.get(MysqlCDCOptionRule.BASE_URL.key());
+
+        Properties info = new java.util.Properties();
+        info.put("autoDeserialize", "false");
+        info.put("allowLoadLocalInfile", "false");
+        info.put("allowLoadLocalInfileInPath", "");
         if (null != requestParams.get(MysqlCDCOptionRule.PASSWORD.key())
                 && null != 
requestParams.get(MysqlCDCOptionRule.USERNAME.key())) {
-            String username = 
requestParams.get(MysqlCDCOptionRule.USERNAME.key());
-            String password = 
requestParams.get(MysqlCDCOptionRule.PASSWORD.key());
-            return DriverManager.getConnection(url, username, password);
+            info.put("user", 
requestParams.get(MysqlCDCOptionRule.USERNAME.key()));
+            info.put("password", 
requestParams.get(MysqlCDCOptionRule.PASSWORD.key()));
         }
-        return DriverManager.getConnection(url);
+        return DriverManager.getConnection(url, info);
     }
 
     protected List<String> getDataBaseNames(Map<String, String> requestParams) 
throws SQLException {

Reply via email to