Browse Source

fix switch js (#15487)

Co-authored-by: Rick Cheng <rickchengx@gmail.com>
Co-authored-by: Eric Gao <ericgao.apache@gmail.com>
dev_wenjun_refactorMaster
caishunfeng 10 months ago committed by GitHub
parent
commit
ef9ed3db55
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
  1. 17
      dolphinscheduler-master/src/main/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtils.java
  2. 14
      dolphinscheduler-master/src/test/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtilsTest.java

17
dolphinscheduler-master/src/main/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtils.java

@ -23,6 +23,7 @@ import org.apache.dolphinscheduler.plugin.task.api.utils.ParameterUtils;
import org.apache.commons.collections4.MapUtils; import org.apache.commons.collections4.MapUtils;
import java.util.Map; import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher; import java.util.regex.Matcher;
import java.util.regex.Pattern; import java.util.regex.Pattern;
@ -33,6 +34,7 @@ import javax.script.ScriptException;
import lombok.extern.slf4j.Slf4j; import lombok.extern.slf4j.Slf4j;
import com.google.common.collect.Maps; import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
@Slf4j @Slf4j
public class SwitchTaskUtils { public class SwitchTaskUtils {
@ -41,6 +43,15 @@ public class SwitchTaskUtils {
private static final ScriptEngine engine; private static final ScriptEngine engine;
private static final String rgex = "['\"]*\\$\\{(.*?)\\}['\"]*"; private static final String rgex = "['\"]*\\$\\{(.*?)\\}['\"]*";
private static final Set<String> blackKeySet = Sets.newHashSet(
"java",
"invoke",
"new",
"eval",
"function",
"import",
"\\\\");
static { static {
manager = new ScriptEngineManager(); manager = new ScriptEngineManager();
engine = manager.getEngineByName("js"); engine = manager.getEngineByName("js");
@ -83,6 +94,12 @@ public class SwitchTaskUtils {
content = content.replace("${" + paramName + "}", value); content = content.replace("${" + paramName + "}", value);
} }
for (String blackKey : blackKeySet) {
if (content.contains(blackKey)) {
throw new IllegalArgumentException("condition is not valid, please check it. condition: " + condition);
}
}
// if not replace any params, throw exception to avoid illegal condition // if not replace any params, throw exception to avoid illegal condition
if (originContent.equals(content)) { if (originContent.equals(content)) {
throw new IllegalArgumentException("condition is not valid, please check it. condition: " + condition); throw new IllegalArgumentException("condition is not valid, please check it. condition: " + condition);

14
dolphinscheduler-master/src/test/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtilsTest.java

@ -52,5 +52,19 @@ public class SwitchTaskUtilsTest {
Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> { Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> {
SwitchTaskUtils.generateContentWithTaskParams(content, globalParams, varParams); SwitchTaskUtils.generateContentWithTaskParams(content, globalParams, varParams);
}); });
String cmd = "bash /tmp/shell";
String cmdContent = "java.lang.Runtime.getRuntime().exec(\"${cmd}\")";
globalParams.put("cmd", new Property("cmd", Direct.IN, DataType.VARCHAR, cmd));
Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> {
SwitchTaskUtils.generateContentWithTaskParams(cmdContent, globalParams, varParams);
});
String contentWithUnicode =
"\\\\u006a\\\\u0061\\\\u0076\\\\u0061\\\\u002e\\\\u006c\\\\u0061\\\\u006e\\\\u0067\\\\u002e\\\\u0052\\\\u0075\\\\u006e\\\\u0074\\\\u0069\\\\u006d\\\\u0065.getRuntime().exec(\\\"open -a Calculator.app\\";
Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> {
SwitchTaskUtils.generateContentWithTaskParams(contentWithUnicode, globalParams, varParams);
});
} }
} }

Loading…
Cancel
Save