zhaoguangqin opened a new issue, #4144:
URL: https://github.com/apache/hertzbeat/issues/4144
### Is there an existing issue for this?
- [x] I have searched the existing issues
### Current Behavior
基于最新版本1.8.0
添加JVM监控的时候,高级配置中,添加jmx连接,点击测试按钮,报错如下:
```
2026-05-25 17:26:30 [1000000000-jvm-basic-0566] ERROR
org.apache.hertzbeat.collector.dispatch.MetricsCollect - [Metrics PreCheck]:
Potentially unsafe JNDI protocol detected in URL: rmi:.
java.lang.IllegalArgumentException: Potentially unsafe JNDI protocol
detected in URL: rmi:
at
org.apache.hertzbeat.collector.collect.jmx.JmxCollectImpl.**validateJmxUrl**(JmxCollectImpl.java:121)
at
org.apache.hertzbeat.collector.collect.jmx.JmxCollectImpl.preCheck(JmxCollectImpl.java:96)
at
org.apache.hertzbeat.collector.dispatch.MetricsCollect.run(MetricsCollect.java:201)
at
java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
at
java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
at java.base/java.lang.Thread.run(Thread.java:1583)
```
代码报错定位到以下代码行:
https://github.com/apache/hertzbeat/blob/master/hertzbeat-collector/hertzbeat-collector-basic/src/main/java/org/apache/hertzbeat/collector/collect/jmx/JmxCollectImpl.java
如果入参为:service:jmx:rmi:///jndi/rmi://192.168.1.3:9999/jmxrmi
```
private void **validateJmxUrl**(String url) throws IllegalArgumentException {
// Only allow service:jmx:rmi protocol
Assert.isTrue(url.startsWith("service:jmx:rmi:"), "Only
service:jmx:rmi protocol is supported");
String[] disallowedPatterns = { "ldap:", "rmi:", "iiop:", "nis:",
"dns:", "corbaname:", "http:", "https:" };
for (String pattern : disallowedPatterns) {
if (url.contains(pattern) &&
!**pattern.equals("rmi:///jndi/rmi:")**) {
throw new IllegalArgumentException("Potentially unsafe JNDI
protocol detected in URL: " + pattern);
}
}
// Check for suspicious patterns
if (url.contains("${") || url.contains("$[") || url.contains(":#")
|| url.contains(":/")) {
throw new IllegalArgumentException("Potentially malicious
pattern detected in JMX URL");
}
}
```
循环了disallowedPatterns这个数组,数组的在循环的时候判断元素不等于“rmi:///jndi/rmi:”,那这行代码必定抛出异常。
### Expected Behavior
_No response_
### Steps To Reproduce
_No response_
### Environment
```markdown
HertzBeat version(s):
```
### Debug logs
_No response_
### Anything else?
_No response_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail:
[email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
