aiceflower opened a new pull request, #5449:
URL: https://github.com/apache/linkis/pull/5449

   ## What is the purpose of the change
   
   The CVE-2023-49566 fix shipped earlier only protected the MySQL/StarRocks
   `SqlConnection` implementations. The eight other JDBC driver families used by
   the metadata-query / datasource-manager modules still streamed user-supplied
   `extraParams` straight onto the JDBC URL with no allowlist/denylist, so any
   authenticated user could inject driver-specific dangerous properties and 
reach
   `DriverManager.getConnection` with them.
   
   This is the "incomplete fix of CVE-2023-49566" report forwarded by ASF 
Security
   (reporter: greybtw, tested on 1.8.0, CVSS 8.8).
   
   Per-driver sinks reachable before this PR:
   
   | Driver | Sink |
   |--------|------|
   | PostgreSQL / Greenplum / KingBase | `socketFactory` + `socketFactoryArg` 
-> reflective class instantiation -> RCE on PG drivers < 42.2.25 / < 42.3.2 |
   | DB2 | `clientRerouteServerListJNDIName` -> JNDI injection (the original 
CVE-2023-49566 sink) |
   | Oracle | `oracle.net.tns_admin` / `javax.net.ssl.trustStore` -> TLS/TNS 
config hijack |
   | SQL Server | `jaasConfigurationName` -> JAAS lookup |
   | ClickHouse / DM | covered defensively (no known high-risk param today) |
   
   ## Brief change log
   
   - **New** `linkis-commons/.../utils/JdbcDriverType.java`: enum identifying 
the 10 JDBC driver families.
   - `linkis-commons/.../utils/SecurityUtils.java`: add generic JDBC security 
layer
     - `checkJdbcConnParams(JdbcDriverType, host, port, username, password, 
database, extraParams)` — driver-aware denylist dispatch, URL-decode loop, 
host-injection guard
     - `buildSecureProperties(JdbcDriverType, username, password, extraParams)` 
— builds a `Properties` bag with driver-specific force-set security defaults 
first, then credentials, then user params that don't conflict with the 
force-set keys
     - Per-driver config keys: `linkis.jdbc.security.check.enable`, 
`linkis.jdbc.{global,postgres,db2,oracle,sqlserver}.blocked.params`, 
`linkis.jdbc.{postgres,db2,oracle,sqlserver,clickhouse,dm}.force.params`
   - All 16 `SqlConnection` implementations (8 drivers x 2 modules) now:
     1. call `SecurityUtils.checkJdbcConnParams(driverType, ...)`
     2. obtain the connection via `DriverManager.getConnection(url, props)` 
with `props = SecurityUtils.buildSecureProperties(...)`
     3. never concatenate `extraParams` onto the URL
   - `datasource-manager/.../AbstractSqlConnection.java`: the (currently 
orphaned) hard-coded PostgreSQL path is also routed through SecurityUtils so a 
future revival cannot reintroduce the sink.
   - `linkis-commons/.../SecurityUtilsTest.java`: 10 new unit tests covering
     - per-driver denylist (PG socketFactory, DB2 JNDI, Oracle tns_admin, SQL 
Server JAAS, global denylist)
     - URL-encoded bypass (`%73ocketFactory`)
     - host-injection (`evil.com:5432/db?socketFactory=x`, `#`, `&`)
     - force-params-wins semantics (SQL Server `trustServerCertificate=false` 
overrides user `true`)
     - benign params pass through for every driver family
   
   ### Backward compatibility
   
   - MySQL and StarRocks keep their existing CVE-2023-49566 fix unchanged.
   - The new check is on by default (`linkis.jdbc.security.check.enable=true`); 
operators who need to disable it temporarily can flip the flag.
   - Existing tests (`SecurityUtilsTest` — 19 tests) all pass.
   
   ## Checklist
   
   - [x] I have read the [Contributing Guidelines on pull 
requests](https://github.com/facebook/docusaurus/blob/main/CONTRIBUTING.md#pull-requests).
   - [x] I have explained the need for this PR and the problem it solves
   - [x] I have explained the changes or the new features added to this PR
   - [x] I have added tests corresponding to this change
   - [ ] I have updated the documentation to reflect this change
   - [x] I have verified that this change is backward compatible
   - [x] **If this is a code change**: I have written unit tests to fully 
verify the new behavior.
   
   ## Note
   
   This is a security fix for a privately-reported issue routed through ASF 
Security.
   Until the PMC triages it, please keep the discussion on the private security
   channel rather than the public PR. The PR can stay `[WIP]` until the embargo 
lifts.
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to