aiceflower opened a new pull request, #5450:
URL: https://github.com/apache/linkis/pull/5450

   ## What is the purpose of the change
   
   Follow-up to #5449 that closes a remaining JDBC URL-option injection sink 
reported separately against the DB2 `instance` field. The DB2 SqlConnection 
classes interpolate the user-supplied instance value directly into the URL via 
`String.format(\"jdbc:db2://%s:%s/%s\", ...)`, so a malicious value like 
`SAMPLE:traceLevel=1;` becomes `jdbc:db2://host:port/SAMPLE:traceLevel=1;`. The 
CVE-2023-49566 fix in #5449 denylisted `clientRerouteServerListJNDIName` etc. 
when they arrive via Properties, but a value smuggled through the URL database 
segment bypasses Properties entirely and reaches driver options like 
`traceLevel`/`traceFile`/`traceDirectory`/`traceFileAppend` that allow 
arbitrary file writes.
   
   Same class of issue affects SQL Server (`;` separator), Oracle (service-name 
slot), and the `jdbc:mysql://` family (`?`/`&`).
   
   This PR adds four layers of defense:
   
   1. **Runtime validation (primary fix).** New 
`SecurityUtils.checkDatabaseIsSafe(JdbcDriverType, database)` rejects 
URL-option separators per driver family. Called from the generic 
`checkJdbcConnParams` path used by every non-MySQL SqlConnection.
      - DB2 → `: ; ? # &` (matches the advisory's PoC)
      - SQLSERVER → `; ? # &`
      - ORACLE → `? # &`
      - PG/MySQL/ClickHouse/DM/etc → `? # & /`
   
   2. **Expanded DB2 denylist.** `JDBC_DB2_BLOCKED_PARAMS` now also includes 
`traceLevel, traceFile, traceDirectory, traceFileAppend` so Properties-based 
injection of the same logging options is blocked too.
   
   3. **Schema-layer validation.** Backfill `value_regex` for the `instance` 
field of every JDBC data source in `linkis_dml.sql`. 
`RegExpParameterValidateStrategy` skips validation when `value_regex` is NULL, 
so the existing schema offered no first-line defense. New regex 
`^[A-Za-z0-9_.-]+$`.
   
   4. **Upgrade SQL.** Same regex backfilled via `UPDATE ... WHERE 
key='instance' AND value_regex IS NULL` in the 1.9.0 upgrade script for 
existing installs.
   
   ## Tests
   
   - 6 new unit tests covering: the DB2 PoC (`SAMPLE:traceLevel=1;` and 
`SAMPLE:traceFile=/tmp/evil;`), the single-character variants for each 
forbidden char, the SQL Server and MySQL variants, benign-database sanity 
across all driver families, and the expanded DB2 denylist.
   - All 24 tests in `SecurityUtilsTest` pass.
   
   ## Relation to prior work
   
   - #5449 closed the CVE-2023-49566 incomplete-fix report by adding the 
generic JDBC denylist/Properties layer. This PR builds on top of #5449 (same 
files, same SecurityUtils generic API). If reviewers prefer to land both 
together, this PR can be rebased onto #5449 instead of master.
   
   🤖 Generated with [Claude Code](https://claude.com/claude-code)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to