diff --git a/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java b/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java index 28217c51d6..fa42dafa85 100644 --- a/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java +++ b/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java @@ -26,8 +26,11 @@ import org.apache.commons.collections4.MapUtils; import java.text.MessageFormat; import java.util.Map; +import java.util.Set; import java.util.regex.Pattern; +import com.google.common.collect.Sets; + public abstract class AbstractDataSourceProcessor implements DataSourceProcessor { private static final Pattern IPV4_PATTERN = Pattern.compile("^[a-zA-Z0-9\\_\\-\\.\\,]+$"); @@ -38,6 +41,8 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor private static final Pattern PARAMS_PATTER = Pattern.compile("^[a-zA-Z0-9\\-\\_\\/\\@\\.]+$"); + private static final Set POSSIBLE_MALICIOUS_KEYS = Sets.newHashSet("allowLoadLocalInfile"); + @Override public void checkDatasourceParam(BaseDataSourceParamDTO baseDataSourceParamDTO) { checkHost(baseDataSourceParamDTO.getHost()); @@ -76,6 +81,9 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor if (MapUtils.isEmpty(other)) { return; } + if (!Sets.intersection(other.keySet(), POSSIBLE_MALICIOUS_KEYS).isEmpty()) { + throw new IllegalArgumentException("Other params include possible malicious keys."); + } boolean paramsCheck = other.entrySet().stream().allMatch(p -> PARAMS_PATTER.matcher(p.getValue()).matches()); if (!paramsCheck) { throw new IllegalArgumentException("datasource other params illegal"); @@ -85,6 +93,7 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor @Override public String getDatasourceUniqueId(ConnectionParam connectionParam, DbType dbType) { BaseConnectionParam baseConnectionParam = (BaseConnectionParam) connectionParam; - return MessageFormat.format("{0}@{1}@{2}@{3}", dbType.getDescp(), baseConnectionParam.getUser(), PasswordUtils.encodePassword(baseConnectionParam.getPassword()), baseConnectionParam.getJdbcUrl()); + return MessageFormat.format("{0}@{1}@{2}@{3}", dbType.getDescp(), baseConnectionParam.getUser(), + PasswordUtils.encodePassword(baseConnectionParam.getPassword()), baseConnectionParam.getJdbcUrl()); } } diff --git a/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/test/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessorTest.java b/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/test/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessorTest.java index 63534dfc70..ad144cdf08 100644 --- a/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/test/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessorTest.java +++ b/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/test/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessorTest.java @@ -43,4 +43,12 @@ public class AbstractDataSourceProcessorTest { other.put("arg0", "%"); doThrow(new IllegalArgumentException()).when(mockDataSourceProcessor).checkOther(other); } -} \ No newline at end of file + + @Test + public void shouldNotIncludeMaliciousParams() { + AbstractDataSourceProcessor mockDataSourceProcessor = mock(AbstractDataSourceProcessor.class); + Map other = new HashMap<>(); + other.put("allowLoadLocalInfile", "whatever"); + doThrow(new IllegalArgumentException()).when(mockDataSourceProcessor).checkOther(other); + } +}