From 69810a8a36060ae7e138fd7cdffdf2acc9eedd3b Mon Sep 17 00:00:00 2001
From: Tq <tianqitobethefirst@gmail.com>
Date: Thu, 28 Apr 2022 18:16:37 +0800
Subject: [PATCH] [BUG][ALERT-SERVER]validate script before alert script
 (#9834)

* validate script before alert script

* fix validate script before alert script
---
 .../plugin/alert/script/ScriptSender.java     | 21 ++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java b/dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java
index 6302dc9d46..7f255803c4 100644
--- a/dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java
+++ b/dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java
@@ -18,12 +18,12 @@
 package org.apache.dolphinscheduler.plugin.alert.script;
 
 import org.apache.dolphinscheduler.alert.api.AlertResult;
-
-import java.util.Map;
-
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.io.File;
+import java.util.Map;
+
 public final class ScriptSender {
     private static final Logger logger = LoggerFactory.getLogger(ScriptSender.class);
     private static final String ALERT_TITLE_OPTION = " -t ";
@@ -54,6 +54,21 @@ public final class ScriptSender {
             alertResult.setMessage("shell script not support windows os");
             return alertResult;
         }
+        //validate script path in case of injections
+        File shellScriptFile = new File(scriptPath);
+        //validate existence
+        if (!shellScriptFile.exists()) {
+            logger.error("shell script not exist : {}", scriptPath);
+            alertResult.setMessage("shell script not exist : " + scriptPath);
+            return alertResult;
+        }
+        //validate is file
+        if (!shellScriptFile.isFile()) {
+            logger.error("shell script is not a file : {}", scriptPath);
+            alertResult.setMessage("shell script is not a file : " + scriptPath);
+            return alertResult;
+        }
+
         String[] cmd = {"/bin/sh", "-c", scriptPath + ALERT_TITLE_OPTION + "'" + title + "'" + ALERT_CONTENT_OPTION + "'" + content + "'" + ALERT_USER_PARAMS_OPTION + "'" + userParams + "'"};
         int exitCode = ProcessUtils.executeScript(cmd);