aiceflower opened a new pull request, #5450:
URL: https://github.com/apache/linkis/pull/5450
## What is the purpose of the change
Follow-up to #5449 that closes a remaining JDBC URL-option injection sink
reported separately against the DB2 `instance` field. The DB2 SqlConnection
classes interpolate the user-supplied instance value directly into the URL via
`String.format(\"jdbc:db2://%s:%s/%s\", ...)`, so a malicious value like
`SAMPLE:traceLevel=1;` becomes `jdbc:db2://host:port/SAMPLE:traceLevel=1;`. The
CVE-2023-49566 fix in #5449 denylisted `clientRerouteServerListJNDIName` etc.
when they arrive via Properties, but a value smuggled through the URL database
segment bypasses Properties entirely and reaches driver options like
`traceLevel`/`traceFile`/`traceDirectory`/`traceFileAppend` that allow
arbitrary file writes.
Same class of issue affects SQL Server (`;` separator), Oracle (service-name
slot), and the `jdbc:mysql://` family (`?`/`&`).
This PR adds four layers of defense:
1. **Runtime validation (primary fix).** New
`SecurityUtils.checkDatabaseIsSafe(JdbcDriverType, database)` rejects
URL-option separators per driver family. Called from the generic
`checkJdbcConnParams` path used by every non-MySQL SqlConnection.
- DB2 → `: ; ? # &` (matches the advisory's PoC)
- SQLSERVER → `; ? # &`
- ORACLE → `? # &`
- PG/MySQL/ClickHouse/DM/etc → `? # & /`
2. **Expanded DB2 denylist.** `JDBC_DB2_BLOCKED_PARAMS` now also includes
`traceLevel, traceFile, traceDirectory, traceFileAppend` so Properties-based
injection of the same logging options is blocked too.
3. **Schema-layer validation.** Backfill `value_regex` for the `instance`
field of every JDBC data source in `linkis_dml.sql`.
`RegExpParameterValidateStrategy` skips validation when `value_regex` is NULL,
so the existing schema offered no first-line defense. New regex
`^[A-Za-z0-9_.-]+$`.
4. **Upgrade SQL.** Same regex backfilled via `UPDATE ... WHERE
key='instance' AND value_regex IS NULL` in the 1.9.0 upgrade script for
existing installs.
## Tests
- 6 new unit tests covering: the DB2 PoC (`SAMPLE:traceLevel=1;` and
`SAMPLE:traceFile=/tmp/evil;`), the single-character variants for each
forbidden char, the SQL Server and MySQL variants, benign-database sanity
across all driver families, and the expanded DB2 denylist.
- All 24 tests in `SecurityUtilsTest` pass.
## Relation to prior work
- #5449 closed the CVE-2023-49566 incomplete-fix report by adding the
generic JDBC denylist/Properties layer. This PR builds on top of #5449 (same
files, same SecurityUtils generic API). If reviewers prefer to land both
together, this PR can be rebased onto #5449 instead of master.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]