Add validations of possible malicious keys (#11966)

2 years ago · 775ef98b64
2 changed files with 19 additions and 2 deletions
--- a/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java
+++ b/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java
@ -26,8 +26,11 @@ import org.apache.commons.collections4.MapUtils;

 import java.text.MessageFormat;
 import java.util.Map;
+import java.util.Set;
 import java.util.regex.Pattern;

+import com.google.common.collect.Sets;
+
 public abstract class AbstractDataSourceProcessor implements DataSourceProcessor {

    private static final Pattern IPV4_PATTERN = Pattern.compile("^[a-zA-Z0-9\\_\\-\\.\\,]+$");
@ -38,6 +41,8 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor

    private static final Pattern PARAMS_PATTER = Pattern.compile("^[a-zA-Z0-9\\-\\_\\/\\@\\.]+$");

+    private static final Set<String> POSSIBLE_MALICIOUS_KEYS = Sets.newHashSet("allowLoadLocalInfile");
+
    @Override
    public void checkDatasourceParam(BaseDataSourceParamDTO baseDataSourceParamDTO) {
        checkHost(baseDataSourceParamDTO.getHost());
@ -76,6 +81,9 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor
        if (MapUtils.isEmpty(other)) {
            return;
        }
+        if (!Sets.intersection(other.keySet(), POSSIBLE_MALICIOUS_KEYS).isEmpty()) {
+            throw new IllegalArgumentException("Other params include possible malicious keys.");
+        }
        boolean paramsCheck = other.entrySet().stream().allMatch(p -> PARAMS_PATTER.matcher(p.getValue()).matches());
        if (!paramsCheck) {
            throw new IllegalArgumentException("datasource other params illegal");
@ -85,6 +93,7 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor
    @Override
    public String getDatasourceUniqueId(ConnectionParam connectionParam, DbType dbType) {
        BaseConnectionParam baseConnectionParam = (BaseConnectionParam) connectionParam;
-        return MessageFormat.format("{0}@{1}@{2}@{3}", dbType.getDescp(), baseConnectionParam.getUser(), PasswordUtils.encodePassword(baseConnectionParam.getPassword()), baseConnectionParam.getJdbcUrl());
+        return MessageFormat.format("{0}@{1}@{2}@{3}", dbType.getDescp(), baseConnectionParam.getUser(),
+                PasswordUtils.encodePassword(baseConnectionParam.getPassword()), baseConnectionParam.getJdbcUrl());
    }
 }
--- a/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/test/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessorTest.java
+++ b/dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/test/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessorTest.java
@ -43,4 +43,12 @@ public class AbstractDataSourceProcessorTest {
        other.put("arg0", "%");
        doThrow(new IllegalArgumentException()).when(mockDataSourceProcessor).checkOther(other);
    }
-}
+
+    @Test
+    public void shouldNotIncludeMaliciousParams() {
+        AbstractDataSourceProcessor mockDataSourceProcessor = mock(AbstractDataSourceProcessor.class);
+        Map<String, String> other = new HashMap<>();
+        other.put("allowLoadLocalInfile", "whatever");
+        doThrow(new IllegalArgumentException()).when(mockDataSourceProcessor).checkOther(other);
+    }
+}