From 60b019b729a5bb1c05e5627d85b1a903546100a8 Mon Sep 17 00:00:00 2001
From: cntiger <35484811+cntigers@users.noreply.github.com>
Date: Thu, 9 May 2024 14:50:27 +0800
Subject: [PATCH] [Improvement] Fix the git url command injection in pytorch
 task(#15873) (#15950)

* fix the git url command injection danger(#15873)

* [Improvement] Fix the git url command injection in pytorch,format code style task(#15873)

---------

Co-authored-by: cntigers <Xiaohu4321@>
Co-authored-by: Rick Cheng <rickchengx@gmail.com>
---
 .../plugin/task/pytorch/GitProjectManager.java              | 4 ++--
 .../plugin/task/pytorch/PytorchTaskTest.java                | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/src/main/java/org/apache/dolphinscheduler/plugin/task/pytorch/GitProjectManager.java b/dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/src/main/java/org/apache/dolphinscheduler/plugin/task/pytorch/GitProjectManager.java
index 3189f26920..5f1e815c30 100644
--- a/dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/src/main/java/org/apache/dolphinscheduler/plugin/task/pytorch/GitProjectManager.java
+++ b/dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/src/main/java/org/apache/dolphinscheduler/plugin/task/pytorch/GitProjectManager.java
@@ -33,12 +33,12 @@ import lombok.extern.slf4j.Slf4j;
 public class GitProjectManager {
 
     public static final String GIT_PATH_LOCAL = "GIT_PROJECT";
-    private static final Pattern GIT_CHECK_PATTERN = Pattern.compile("^(git@|https?://)");
+    private static final Pattern GIT_CHECK_PATTERN = Pattern.compile("^(git@|https?://)(?![&|])[^&|]+$");
     private String path;
     private String baseDir = ".";
 
     public static boolean isGitPath(String path) {
-        return GIT_CHECK_PATTERN.matcher(path).find();
+        return GIT_CHECK_PATTERN.matcher(path).matches();
     }
 
     public void prepareProject() throws Exception {
diff --git a/dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/src/test/java/org/apache/dolphinscheduler/plugin/task/pytorch/PytorchTaskTest.java b/dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/src/test/java/org/apache/dolphinscheduler/plugin/task/pytorch/PytorchTaskTest.java
index c213021607..e35a175df1 100644
--- a/dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/src/test/java/org/apache/dolphinscheduler/plugin/task/pytorch/PytorchTaskTest.java
+++ b/dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/src/test/java/org/apache/dolphinscheduler/plugin/task/pytorch/PytorchTaskTest.java
@@ -72,6 +72,12 @@ public class PytorchTaskTest {
 
     }
 
+    @Test
+    public void testGitProjectUrlInjection() {
+        Assertions.assertFalse(GitProjectManager.isGitPath("git@& cat /etc/passwd >/poc.txt #"));
+        Assertions.assertFalse(GitProjectManager.isGitPath("git@| cat /etc/passwd >/poc.txt #"));
+    }
+
     @Test
     public void testGitProject() {