Browse Source

[BUG][ALERT-SERVER]validate script before alert script (#9834)

* validate script before alert script

* fix validate script before alert script
3.0.0/version-upgrade
Tq 3 years ago committed by GitHub
parent
commit
69810a8a36
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 21
      dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java

21
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java

@ -18,12 +18,12 @@
package org.apache.dolphinscheduler.plugin.alert.script; package org.apache.dolphinscheduler.plugin.alert.script;
import org.apache.dolphinscheduler.alert.api.AlertResult; import org.apache.dolphinscheduler.alert.api.AlertResult;
import java.util.Map;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
import java.io.File;
import java.util.Map;
public final class ScriptSender { public final class ScriptSender {
private static final Logger logger = LoggerFactory.getLogger(ScriptSender.class); private static final Logger logger = LoggerFactory.getLogger(ScriptSender.class);
private static final String ALERT_TITLE_OPTION = " -t "; private static final String ALERT_TITLE_OPTION = " -t ";
@ -54,6 +54,21 @@ public final class ScriptSender {
alertResult.setMessage("shell script not support windows os"); alertResult.setMessage("shell script not support windows os");
return alertResult; return alertResult;
} }
//validate script path in case of injections
File shellScriptFile = new File(scriptPath);
//validate existence
if (!shellScriptFile.exists()) {
logger.error("shell script not exist : {}", scriptPath);
alertResult.setMessage("shell script not exist : " + scriptPath);
return alertResult;
}
//validate is file
if (!shellScriptFile.isFile()) {
logger.error("shell script is not a file : {}", scriptPath);
alertResult.setMessage("shell script is not a file : " + scriptPath);
return alertResult;
}
String[] cmd = {"/bin/sh", "-c", scriptPath + ALERT_TITLE_OPTION + "'" + title + "'" + ALERT_CONTENT_OPTION + "'" + content + "'" + ALERT_USER_PARAMS_OPTION + "'" + userParams + "'"}; String[] cmd = {"/bin/sh", "-c", scriptPath + ALERT_TITLE_OPTION + "'" + title + "'" + ALERT_CONTENT_OPTION + "'" + content + "'" + ALERT_USER_PARAMS_OPTION + "'" + userParams + "'"};
int exitCode = ProcessUtils.executeScript(cmd); int exitCode = ProcessUtils.executeScript(cmd);

Loading…
Cancel
Save