Browse Source

Add validations of possible malicious keys (#11966)

3.2.0-release
kezhenxu94 2 years ago committed by GitHub
parent
commit
5811b84fcc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 11
      dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java
  2. 8
      dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/test/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessorTest.java

11
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java

@ -26,8 +26,11 @@ import org.apache.commons.collections4.MapUtils;
import java.text.MessageFormat; import java.text.MessageFormat;
import java.util.Map; import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern; import java.util.regex.Pattern;
import com.google.common.collect.Sets;
public abstract class AbstractDataSourceProcessor implements DataSourceProcessor { public abstract class AbstractDataSourceProcessor implements DataSourceProcessor {
private static final Pattern IPV4_PATTERN = Pattern.compile("^[a-zA-Z0-9\\_\\-\\.\\,]+$"); private static final Pattern IPV4_PATTERN = Pattern.compile("^[a-zA-Z0-9\\_\\-\\.\\,]+$");
@ -38,6 +41,8 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor
private static final Pattern PARAMS_PATTER = Pattern.compile("^[a-zA-Z0-9\\-\\_\\/\\@\\.]+$"); private static final Pattern PARAMS_PATTER = Pattern.compile("^[a-zA-Z0-9\\-\\_\\/\\@\\.]+$");
private static final Set<String> POSSIBLE_MALICIOUS_KEYS = Sets.newHashSet("allowLoadLocalInfile");
@Override @Override
public void checkDatasourceParam(BaseDataSourceParamDTO baseDataSourceParamDTO) { public void checkDatasourceParam(BaseDataSourceParamDTO baseDataSourceParamDTO) {
checkHost(baseDataSourceParamDTO.getHost()); checkHost(baseDataSourceParamDTO.getHost());
@ -76,6 +81,9 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor
if (MapUtils.isEmpty(other)) { if (MapUtils.isEmpty(other)) {
return; return;
} }
if (!Sets.intersection(other.keySet(), POSSIBLE_MALICIOUS_KEYS).isEmpty()) {
throw new IllegalArgumentException("Other params include possible malicious keys.");
}
boolean paramsCheck = other.entrySet().stream().allMatch(p -> PARAMS_PATTER.matcher(p.getValue()).matches()); boolean paramsCheck = other.entrySet().stream().allMatch(p -> PARAMS_PATTER.matcher(p.getValue()).matches());
if (!paramsCheck) { if (!paramsCheck) {
throw new IllegalArgumentException("datasource other params illegal"); throw new IllegalArgumentException("datasource other params illegal");
@ -85,6 +93,7 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor
@Override @Override
public String getDatasourceUniqueId(ConnectionParam connectionParam, DbType dbType) { public String getDatasourceUniqueId(ConnectionParam connectionParam, DbType dbType) {
BaseConnectionParam baseConnectionParam = (BaseConnectionParam) connectionParam; BaseConnectionParam baseConnectionParam = (BaseConnectionParam) connectionParam;
return MessageFormat.format("{0}@{1}@{2}@{3}", dbType.getDescp(), baseConnectionParam.getUser(), PasswordUtils.encodePassword(baseConnectionParam.getPassword()), baseConnectionParam.getJdbcUrl()); return MessageFormat.format("{0}@{1}@{2}@{3}", dbType.getDescp(), baseConnectionParam.getUser(),
PasswordUtils.encodePassword(baseConnectionParam.getPassword()), baseConnectionParam.getJdbcUrl());
} }
} }

8
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/test/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessorTest.java

@ -43,4 +43,12 @@ public class AbstractDataSourceProcessorTest {
other.put("arg0", "%"); other.put("arg0", "%");
doThrow(new IllegalArgumentException()).when(mockDataSourceProcessor).checkOther(other); doThrow(new IllegalArgumentException()).when(mockDataSourceProcessor).checkOther(other);
} }
@Test
public void shouldNotIncludeMaliciousParams() {
AbstractDataSourceProcessor mockDataSourceProcessor = mock(AbstractDataSourceProcessor.class);
Map<String, String> other = new HashMap<>();
other.put("allowLoadLocalInfile", "whatever");
doThrow(new IllegalArgumentException()).when(mockDataSourceProcessor).checkOther(other);
}
} }
Loading…
Cancel
Save