diff --git a/dolphinscheduler-master/src/main/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtils.java b/dolphinscheduler-master/src/main/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtils.java index 4e1c303138..f4ebd0c60c 100644 --- a/dolphinscheduler-master/src/main/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtils.java +++ b/dolphinscheduler-master/src/main/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtils.java @@ -23,6 +23,7 @@ import org.apache.dolphinscheduler.plugin.task.api.utils.ParameterUtils; import org.apache.commons.collections4.MapUtils; import java.util.Map; +import java.util.Set; import java.util.regex.Matcher; import java.util.regex.Pattern; @@ -33,6 +34,7 @@ import javax.script.ScriptException; import lombok.extern.slf4j.Slf4j; import com.google.common.collect.Maps; +import com.google.common.collect.Sets; @Slf4j public class SwitchTaskUtils { @@ -41,6 +43,15 @@ public class SwitchTaskUtils { private static final ScriptEngine engine; private static final String rgex = "['\"]*\\$\\{(.*?)\\}['\"]*"; + private static final Set blackKeySet = Sets.newHashSet( + "java", + "invoke", + "new", + "eval", + "function", + "import", + "\\\\"); + static { manager = new ScriptEngineManager(); engine = manager.getEngineByName("js"); @@ -83,6 +94,12 @@ public class SwitchTaskUtils { content = content.replace("${" + paramName + "}", value); } + for (String blackKey : blackKeySet) { + if (content.contains(blackKey)) { + throw new IllegalArgumentException("condition is not valid, please check it. condition: " + condition); + } + } + // if not replace any params, throw exception to avoid illegal condition if (originContent.equals(content)) { throw new IllegalArgumentException("condition is not valid, please check it. condition: " + condition); diff --git a/dolphinscheduler-master/src/test/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtilsTest.java b/dolphinscheduler-master/src/test/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtilsTest.java index 044e916f56..18e97f8e80 100644 --- a/dolphinscheduler-master/src/test/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtilsTest.java +++ b/dolphinscheduler-master/src/test/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtilsTest.java @@ -52,5 +52,19 @@ public class SwitchTaskUtilsTest { Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> { SwitchTaskUtils.generateContentWithTaskParams(content, globalParams, varParams); }); + + String cmd = "bash /tmp/shell"; + String cmdContent = "java.lang.Runtime.getRuntime().exec(\"${cmd}\")"; + globalParams.put("cmd", new Property("cmd", Direct.IN, DataType.VARCHAR, cmd)); + Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> { + SwitchTaskUtils.generateContentWithTaskParams(cmdContent, globalParams, varParams); + }); + + String contentWithUnicode = + "\\\\u006a\\\\u0061\\\\u0076\\\\u0061\\\\u002e\\\\u006c\\\\u0061\\\\u006e\\\\u0067\\\\u002e\\\\u0052\\\\u0075\\\\u006e\\\\u0074\\\\u0069\\\\u006d\\\\u0065.getRuntime().exec(\\\"open -a Calculator.app\\"; + Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> { + SwitchTaskUtils.generateContentWithTaskParams(contentWithUnicode, globalParams, varParams); + }); + } }