(incubator-streampark) branch dev-2.1.2 updated: [Improve] maven build args improvement (#3367)

Wed, 29 Nov 2023 08:19:07 -0800 

This is an automated email from the ASF dual-hosted git repository.

benjobs pushed a commit to branch dev-2.1.2
in repository https://gitbox.apache.org/repos/asf/incubator-streampark.git


The following commit(s) were added to refs/heads/dev-2.1.2 by this push:
     new 92848d86d [Improve] maven build args improvement (#3367)
92848d86d is described below

commit 92848d86dae043509adc39e27a394aaf8e11cdda
Author: benjobs <[email protected]>
AuthorDate: Thu Nov 30 00:18:55 2023 +0800

    [Improve] maven build args improvement (#3367)
    
    * [Improve] maven build args improvement
    
    ---------
    
    Co-authored-by: benjobs <[email protected]>
---
 .../streampark/console/core/entity/Project.java    | 43 ++++++++++++++++++----
 1 file changed, 36 insertions(+), 7 deletions(-)

diff --git 
a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/entity/Project.java
 
b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/entity/Project.java
index c30928f54..413009f52 100644
--- 
a/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/entity/Project.java
+++ 
b/streampark-console/streampark-console-service/src/main/java/org/apache/streampark/console/core/entity/Project.java
@@ -21,6 +21,8 @@ import org.apache.streampark.common.conf.CommonConfig;
 import org.apache.streampark.common.conf.InternalConfigHolder;
 import org.apache.streampark.common.conf.Workspace;
 import org.apache.streampark.common.util.CommandUtils;
+import org.apache.streampark.common.util.Utils;
+import org.apache.streampark.console.base.exception.ApiAlertException;
 import org.apache.streampark.console.base.exception.ApiDetailException;
 import org.apache.streampark.console.base.util.CommonUtils;
 import org.apache.streampark.console.base.util.GitUtils;
@@ -43,9 +45,11 @@ import org.eclipse.jgit.lib.Constants;
 import java.io.File;
 import java.io.IOException;
 import java.io.Serializable;
+import java.util.Arrays;
 import java.util.Date;
 import java.util.List;
 import java.util.jar.JarFile;
+import java.util.stream.Collectors;
 
 @Slf4j
 @Data
@@ -186,8 +190,9 @@ public class Project implements Serializable {
   @JsonIgnore
   public String getMavenArgs() {
     String mvn = "mvn";
+    boolean windows = Utils.isWindows();
     try {
-      if (CommonUtils.isWindows()) {
+      if (windows) {
         CommandUtils.execute("mvn.cmd --version");
       } else {
         CommandUtils.execute("mvn --version");
@@ -202,7 +207,7 @@ public class Project implements Serializable {
           FileUtils.deleteQuietly(wrapperJar);
         }
       }
-      if (CommonUtils.isWindows()) {
+      if (windows) {
         mvn = WebUtils.getAppHome().concat("/bin/mvnw.cmd");
       } else {
         mvn = WebUtils.getAppHome().concat("/bin/mvnw");
@@ -211,18 +216,42 @@ public class Project implements Serializable {
 
     StringBuilder cmdBuffer = new StringBuilder(mvn).append(" clean package 
-DskipTests ");
 
-    if (StringUtils.isNotEmpty(this.buildArgs)) {
-      cmdBuffer.append(this.buildArgs.trim());
+    if (StringUtils.isNotBlank(this.buildArgs)) {
+      List<String> dangerArgs = getLogicalOperators(this.buildArgs);
+      if (dangerArgs.isEmpty()) {
+        cmdBuffer.append(this.buildArgs.trim());
+      } else {
+        throw new IllegalArgumentException(
+            String.format(
+                "Invalid build args, dangerous operator detected: %s, in your 
buildArgs: %s",
+                dangerArgs.stream().collect(Collectors.joining(",")), 
this.buildArgs));
+      }
     }
 
     String setting = 
InternalConfigHolder.get(CommonConfig.MAVEN_SETTINGS_PATH());
-    if (StringUtils.isNotEmpty(setting)) {
-      cmdBuffer.append(" --settings ").append(setting);
+    if (StringUtils.isNotBlank(setting)) {
+      List<String> dangerArgs = getLogicalOperators(setting);
+      ApiAlertException.throwIfTrue(
+          !dangerArgs.isEmpty(),
+          String.format(
+              "Invalid maven setting path, dangerous operator detected: %s, in 
your maven setting path: %s",
+              dangerArgs.stream().collect(Collectors.joining(",")), setting));
+      File file = new File(setting);
+      if (file.exists() && file.isFile()) {
+        cmdBuffer.append(" --settings ").append(setting);
+      } else {
+        throw new IllegalArgumentException(
+            String.format("Invalid maven setting path, %s no exists or not 
file", setting));
+      }
     }
-
     return cmdBuffer.toString();
   }
 
+  private List<String> getLogicalOperators(String param) {
+    List<String> dangerArgs = Arrays.asList(" || ", " | ", " && ", " & ");
+    return 
dangerArgs.stream().filter(param::contains).collect(Collectors.toList());
+  }
+
   @JsonIgnore
   public String getMavenWorkHome() {
     String buildHome = this.getAppSource().getAbsolutePath();

Reply via email to