aiceflower opened a new pull request, #5449:
URL: https://github.com/apache/linkis/pull/5449
## What is the purpose of the change
The CVE-2023-49566 fix shipped earlier only protected the MySQL/StarRocks
`SqlConnection` implementations. The eight other JDBC driver families used by
the metadata-query / datasource-manager modules still streamed user-supplied
`extraParams` straight onto the JDBC URL with no allowlist/denylist, so any
authenticated user could inject driver-specific dangerous properties and
reach
`DriverManager.getConnection` with them.
This is the "incomplete fix of CVE-2023-49566" report forwarded by ASF
Security
(reporter: greybtw, tested on 1.8.0, CVSS 8.8).
Per-driver sinks reachable before this PR:
| Driver | Sink |
|--------|------|
| PostgreSQL / Greenplum / KingBase | `socketFactory` + `socketFactoryArg`
-> reflective class instantiation -> RCE on PG drivers < 42.2.25 / < 42.3.2 |
| DB2 | `clientRerouteServerListJNDIName` -> JNDI injection (the original
CVE-2023-49566 sink) |
| Oracle | `oracle.net.tns_admin` / `javax.net.ssl.trustStore` -> TLS/TNS
config hijack |
| SQL Server | `jaasConfigurationName` -> JAAS lookup |
| ClickHouse / DM | covered defensively (no known high-risk param today) |
## Brief change log
- **New** `linkis-commons/.../utils/JdbcDriverType.java`: enum identifying
the 10 JDBC driver families.
- `linkis-commons/.../utils/SecurityUtils.java`: add generic JDBC security
layer
- `checkJdbcConnParams(JdbcDriverType, host, port, username, password,
database, extraParams)` — driver-aware denylist dispatch, URL-decode loop,
host-injection guard
- `buildSecureProperties(JdbcDriverType, username, password, extraParams)`
— builds a `Properties` bag with driver-specific force-set security defaults
first, then credentials, then user params that don't conflict with the
force-set keys
- Per-driver config keys: `linkis.jdbc.security.check.enable`,
`linkis.jdbc.{global,postgres,db2,oracle,sqlserver}.blocked.params`,
`linkis.jdbc.{postgres,db2,oracle,sqlserver,clickhouse,dm}.force.params`
- All 16 `SqlConnection` implementations (8 drivers x 2 modules) now:
1. call `SecurityUtils.checkJdbcConnParams(driverType, ...)`
2. obtain the connection via `DriverManager.getConnection(url, props)`
with `props = SecurityUtils.buildSecureProperties(...)`
3. never concatenate `extraParams` onto the URL
- `datasource-manager/.../AbstractSqlConnection.java`: the (currently
orphaned) hard-coded PostgreSQL path is also routed through SecurityUtils so a
future revival cannot reintroduce the sink.
- `linkis-commons/.../SecurityUtilsTest.java`: 10 new unit tests covering
- per-driver denylist (PG socketFactory, DB2 JNDI, Oracle tns_admin, SQL
Server JAAS, global denylist)
- URL-encoded bypass (`%73ocketFactory`)
- host-injection (`evil.com:5432/db?socketFactory=x`, `#`, `&`)
- force-params-wins semantics (SQL Server `trustServerCertificate=false`
overrides user `true`)
- benign params pass through for every driver family
### Backward compatibility
- MySQL and StarRocks keep their existing CVE-2023-49566 fix unchanged.
- The new check is on by default (`linkis.jdbc.security.check.enable=true`);
operators who need to disable it temporarily can flip the flag.
- Existing tests (`SecurityUtilsTest` — 19 tests) all pass.
## Checklist
- [x] I have read the [Contributing Guidelines on pull
requests](https://github.com/facebook/docusaurus/blob/main/CONTRIBUTING.md#pull-requests).
- [x] I have explained the need for this PR and the problem it solves
- [x] I have explained the changes or the new features added to this PR
- [x] I have added tests corresponding to this change
- [ ] I have updated the documentation to reflect this change
- [x] I have verified that this change is backward compatible
- [x] **If this is a code change**: I have written unit tests to fully
verify the new behavior.
## Note
This is a security fix for a privately-reported issue routed through ASF
Security.
Until the PMC triages it, please keep the discussion on the private security
channel rather than the public PR. The PR can stay `[WIP]` until the embargo
lifts.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]