This is an automated email from the ASF dual-hosted git repository.
liutianyou pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hertzbeat.git
The following commit(s) were added to refs/heads/master by this push:
new 10b283522c [improve] add path validation for pluginservice (#3375)
10b283522c is described below
commit 10b283522c036d1486f6bed1d90368e041241160
Author: aias00 <[email protected]>
AuthorDate: Tue May 20 12:32:24 2025 +0800
[improve] add path validation for pluginservice (#3375)
Signed-off-by: aias00 <[email protected]>
Co-authored-by: Copilot Autofix powered by AI
<62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: Calvin <[email protected]>
Co-authored-by: liutianyou <[email protected]>
---
.../manager/service/impl/PluginServiceImpl.java | 31 ++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git
a/hertzbeat-manager/src/main/java/org/apache/hertzbeat/manager/service/impl/PluginServiceImpl.java
b/hertzbeat-manager/src/main/java/org/apache/hertzbeat/manager/service/impl/PluginServiceImpl.java
index 1abbe2118a..953f3b7889 100644
---
a/hertzbeat-manager/src/main/java/org/apache/hertzbeat/manager/service/impl/PluginServiceImpl.java
+++
b/hertzbeat-manager/src/main/java/org/apache/hertzbeat/manager/service/impl/PluginServiceImpl.java
@@ -224,7 +224,9 @@ public class PluginServiceImpl implements PluginService {
List<PluginItem> pluginItems = new ArrayList<>();
AtomicInteger pluginImplementationCount = new AtomicInteger(0);
try {
+ validateFilePath(jarFile);
URL jarUrl = new URL("file:" + jarFile.getAbsolutePath());
+ validateJarUrl(jarUrl);
try (URLClassLoader classLoader = new URLClassLoader(new
URL[]{jarUrl}, this.getClass().getClassLoader());
JarFile jar = new JarFile(jarFile)) {
Enumeration<JarEntry> entries = jar.entries();
@@ -272,6 +274,35 @@ public class PluginServiceImpl implements PluginService {
return metadata;
}
+ /**
+ * Validate that the file resides within the expected directory.
+ *
+ * @param file the file to validate
+ */
+ private void validateFilePath(File file) {
+ try {
+ String canonicalPath = file.getCanonicalPath();
+ String expectedDir = new File("plugin-lib").getCanonicalPath();
+ if (!canonicalPath.startsWith(expectedDir)) {
+ throw new CommonException("File is outside the allowed
directory: " + canonicalPath);
+ }
+ } catch (IOException e) {
+ log.error("Error validating file path: {}",
file.getAbsolutePath(), e);
+ throw new CommonException("Error validating file path: " +
file.getAbsolutePath());
+ }
+ }
+
+ /**
+ * Validate that the URL uses the 'file:' protocol and does not point to
an external resource.
+ *
+ * @param url the URL to validate
+ */
+ private void validateJarUrl(URL url) {
+ if (!"file".equals(url.getProtocol())) {
+ throw new CommonException("Invalid URL protocol: " +
url.getProtocol());
+ }
+ }
+
private void validateMetadata(PluginMetadata metadata) {
if (metadataDao.countPluginMetadataByName(metadata.getName()) != 0) {
throw new CommonException("A plugin named " + metadata.getName() +
" already exists");
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
