[Improvement] Use safe constructor with snake yaml (#15758)

6 months ago · dc306bfa1d
6 changed files with 97 additions and 5 deletions
--- a/dolphinscheduler-common/src/main/java/org/apache/dolphinscheduler/common/utils/ClassFilterConstructor.java
+++ b/dolphinscheduler-common/src/main/java/org/apache/dolphinscheduler/common/utils/ClassFilterConstructor.java
@ -0,0 +1,50 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.dolphinscheduler.common.utils;
+
+import lombok.extern.slf4j.Slf4j;
+
+import org.yaml.snakeyaml.LoaderOptions;
+import org.yaml.snakeyaml.constructor.Constructor;
+
+/**
+ * Whitelist constructor implementation for YAML snake.
+ * Copied from Apache ShardingSphere and Apache Skywalking.
+ */
+@Slf4j
+public final class ClassFilterConstructor extends Constructor {
+
+    private final Class<?>[] acceptClasses;
+
+    public ClassFilterConstructor(final Class<?>[] acceptClasses) {
+        super(new LoaderOptions());
+        this.acceptClasses = acceptClasses;
+    }
+
+    @Override
+    protected Class<?> getClassForName(final String name) throws ClassNotFoundException {
+        for (Class<? extends Object> each : acceptClasses) {
+            if (name.equals(each.getName())) {
+                log.info("name - {} : class - {}", name, super.getClassForName(name));
+                return super.getClassForName(name);
+            }
+        }
+        throw new IllegalArgumentException(String.format("Class is not accepted: %s", name));
+    }
+}
--- a/dolphinscheduler-task-plugin/dolphinscheduler-task-api/src/main/java/org/apache/dolphinscheduler/plugin/task/api/k8s/AbstractK8sTaskExecutor.java
+++ b/dolphinscheduler-task-plugin/dolphinscheduler-task-api/src/main/java/org/apache/dolphinscheduler/plugin/task/api/k8s/AbstractK8sTaskExecutor.java
@ -17,12 +17,14 @@

 package org.apache.dolphinscheduler.plugin.task.api.k8s;

+import org.apache.dolphinscheduler.common.utils.ClassFilterConstructor;
 import org.apache.dolphinscheduler.plugin.task.api.TaskException;
 import org.apache.dolphinscheduler.plugin.task.api.TaskExecutionContext;
 import org.apache.dolphinscheduler.plugin.task.api.model.TaskResponse;
 import org.apache.dolphinscheduler.plugin.task.api.utils.K8sUtils;

 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;

 import org.yaml.snakeyaml.Yaml;
@ -36,7 +38,10 @@ public abstract class AbstractK8sTaskExecutor {
    protected AbstractK8sTaskExecutor(TaskExecutionContext taskRequest) {
        this.taskRequest = taskRequest;
        this.k8sUtils = new K8sUtils();
-        this.yaml = new Yaml();
+        this.yaml = new Yaml(new ClassFilterConstructor(new Class[]{
+                List.class,
+                String.class
+        }));
        this.taskOutputParams = new HashMap<>();
    }
    public Map<String, String> getTaskOutputParams() {
--- a/dolphinscheduler-task-plugin/dolphinscheduler-task-api/src/main/java/org/apache/dolphinscheduler/plugin/task/api/loop/template/http/parser/HttpTaskDefinitionParser.java
+++ b/dolphinscheduler-task-plugin/dolphinscheduler-task-api/src/main/java/org/apache/dolphinscheduler/plugin/task/api/loop/template/http/parser/HttpTaskDefinitionParser.java
@ -17,6 +17,7 @@

 package org.apache.dolphinscheduler.plugin.task.api.loop.template.http.parser;

+import org.apache.dolphinscheduler.common.utils.ClassFilterConstructor;
 import org.apache.dolphinscheduler.plugin.task.api.loop.template.LoopTaskYamlDefinition;
 import org.apache.dolphinscheduler.plugin.task.api.loop.template.TaskDefinitionParser;
 import org.apache.dolphinscheduler.plugin.task.api.loop.template.http.HttpLoopTaskDefinition;
@ -28,11 +29,11 @@ import org.apache.commons.lang3.StringUtils;

 import java.io.FileReader;
 import java.io.IOException;
+import java.util.Map;

 import lombok.NonNull;

 import org.yaml.snakeyaml.Yaml;
-import org.yaml.snakeyaml.constructor.Constructor;

 import com.google.common.base.Preconditions;

@ -60,9 +61,20 @@ public class HttpTaskDefinitionParser implements TaskDefinitionParser<HttpLoopTa
    }

    protected @NonNull LoopTaskYamlDefinition parseYamlConfigFile(@NonNull String yamlConfigFile) throws IOException {
-        Yaml yaml = new Yaml(new Constructor(LoopTaskYamlDefinition.class));
        try (FileReader fileReader = new FileReader(yamlConfigFile)) {
-            return yaml.load(fileReader);
+            return new Yaml(new ClassFilterConstructor(new Class[]{
+                    LoopTaskYamlDefinition.class,
+                    LoopTaskYamlDefinition.LoopTaskServiceYamlDefinition.class,
+                    LoopTaskYamlDefinition.LoopTaskAPIYamlDefinition.class,
+                    LoopTaskYamlDefinition.LoopTaskSubmitMethodYamlDefinition.class,
+                    LoopTaskYamlDefinition.LoopTaskQueryStateYamlDefinition.class,
+                    LoopTaskYamlDefinition.LoopTaskCancelYamlDefinition.class,
+                    LoopTaskYamlDefinition.LoopTaskMethodYamlDefinition.class,
+                    LoopTaskYamlDefinition.LoopTaskQueryStateYamlDefinition.class,
+                    Map.class,
+                    String.class
+            }))
+                    .loadAs(fileReader, LoopTaskYamlDefinition.class);
        }
    }

--- a/dolphinscheduler-task-plugin/dolphinscheduler-task-api/src/test/java/org/apache/dolphinscheduler/plugin/task/api/k8s/K8sTaskExecutorTest.java
+++ b/dolphinscheduler-task-plugin/dolphinscheduler-task-api/src/test/java/org/apache/dolphinscheduler/plugin/task/api/k8s/K8sTaskExecutorTest.java
@ -24,6 +24,7 @@ import org.apache.dolphinscheduler.plugin.task.api.model.TaskResponse;

 import java.util.Arrays;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;

 import org.junit.jupiter.api.Assertions;
@ -99,4 +100,12 @@ public class K8sTaskExecutorTest {
        }
    }

+    @Test
+    public void testLoadYamlCorrectly() {
+        List<String> expectedCommands = Arrays.asList("perl", "-Mbignum=bpi", "-wle", "print bpi(2000)");
+        List<String> actualCommands =
+                k8sTaskExecutor.getJob().getSpec().getTemplate().getSpec().getContainers().get(0).getCommand();
+        Assertions.assertEquals(expectedCommands, actualCommands);
+    }
+
 }
--- a/dolphinscheduler-task-plugin/dolphinscheduler-task-api/src/test/java/org/apache/dolphinscheduler/plugin/task/api/loop/template/http/parser/HttpTaskDefinitionParserTest.java
+++ b/dolphinscheduler-task-plugin/dolphinscheduler-task-api/src/test/java/org/apache/dolphinscheduler/plugin/task/api/loop/template/http/parser/HttpTaskDefinitionParserTest.java
@ -20,6 +20,8 @@ package org.apache.dolphinscheduler.plugin.task.api.loop.template.http.parser;
 import org.apache.dolphinscheduler.plugin.task.api.loop.template.LoopTaskYamlDefinition;

 import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;

 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
@ -32,11 +34,24 @@ public class HttpTaskDefinitionParserTest {
    @Test
    public void parseYamlConfigFile() throws IOException {
        LoopTaskYamlDefinition loopTaskYamlDefinition = new HttpTaskDefinitionParser().parseYamlConfigFile(yamlFile);
+        // check not null
        Assertions.assertNotNull(loopTaskYamlDefinition);
        Assertions.assertNotNull(loopTaskYamlDefinition.getService());
+        Assertions.assertNotNull(loopTaskYamlDefinition.getService().getName());
+        Assertions.assertNotNull(loopTaskYamlDefinition.getService().getType());
+        Assertions.assertNotNull(loopTaskYamlDefinition.getService().getApi());
+        Assertions.assertNotNull(loopTaskYamlDefinition.getService().getApi().getSubmit());
+        Assertions.assertNotNull(loopTaskYamlDefinition.getService().getApi().getQueryState());
+        Assertions.assertNotNull(loopTaskYamlDefinition.getService().getApi().getCancel());
+        // check data consistency
        LoopTaskYamlDefinition.LoopTaskServiceYamlDefinition service = loopTaskYamlDefinition.getService();
        Assertions.assertEquals("MockService", service.getName());
-        Assertions.assertNotNull(service.getApi());
+        Assertions.assertEquals("Http", service.getType());
+        Map<String, String> expectedHeaders = new HashMap<>();
+        expectedHeaders.put("Content-Type", "text/html");
+        expectedHeaders.put("Content-Length", "1234");
+        Assertions.assertEquals("/api/v1/submit", service.getApi().getSubmit().getUrl());
+        Assertions.assertEquals(expectedHeaders, service.getApi().getSubmit().getHttpHeaders());
    }

    @Test
--- a/dolphinscheduler-task-plugin/dolphinscheduler-task-api/src/test/resources/mock_loop_task.yaml
+++ b/dolphinscheduler-task-plugin/dolphinscheduler-task-api/src/test/resources/mock_loop_task.yaml
@ -22,6 +22,7 @@ service:
      url: /api/v1/submit
      method: POST
      dataType: Json
+      httpHeaders: { "Content-Type": "text/html", "Content-Length": "1234" }
      requestParams: { "taskId": "704" }
      taskInstanceIdJPath: "$.taskInstanceId[0]"
    queryState: