fix switch js (#15487)

Co-authored-by: Rick Cheng <rickchengx@gmail.com> Co-authored-by: Eric Gao <ericgao.apache@gmail.com>
10 months ago · ef9ed3db55
2 changed files with 31 additions and 0 deletions
--- a/dolphinscheduler-master/src/main/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtils.java
+++ b/dolphinscheduler-master/src/main/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtils.java
@ -23,6 +23,7 @@ import org.apache.dolphinscheduler.plugin.task.api.utils.ParameterUtils;
 import org.apache.commons.collections4.MapUtils;

 import java.util.Map;
+import java.util.Set;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;

@ -33,6 +34,7 @@ import javax.script.ScriptException;
 import lombok.extern.slf4j.Slf4j;

 import com.google.common.collect.Maps;
+import com.google.common.collect.Sets;

@Slf4j
 public class SwitchTaskUtils {
@ -41,6 +43,15 @@ public class SwitchTaskUtils {
    private static final ScriptEngine engine;
    private static final String rgex = "['\"]*\\$\\{(.*?)\\}['\"]*";

+    private static final Set<String> blackKeySet = Sets.newHashSet(
+            "java",
+            "invoke",
+            "new",
+            "eval",
+            "function",
+            "import",
+            "\\\\");
+
    static {
        manager = new ScriptEngineManager();
        engine = manager.getEngineByName("js");
@ -83,6 +94,12 @@ public class SwitchTaskUtils {
            content = content.replace("${" + paramName + "}", value);
        }

+        for (String blackKey : blackKeySet) {
+            if (content.contains(blackKey)) {
+                throw new IllegalArgumentException("condition is not valid, please check it. condition: " + condition);
+            }
+        }
+
        // if not replace any params, throw exception to avoid illegal condition
        if (originContent.equals(content)) {
            throw new IllegalArgumentException("condition is not valid, please check it. condition: " + condition);
--- a/dolphinscheduler-master/src/test/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtilsTest.java
+++ b/dolphinscheduler-master/src/test/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtilsTest.java
@ -52,5 +52,19 @@ public class SwitchTaskUtilsTest {
        Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> {
            SwitchTaskUtils.generateContentWithTaskParams(content, globalParams, varParams);
        });
+
+        String cmd = "bash /tmp/shell";
+        String cmdContent = "java.lang.Runtime.getRuntime().exec(\"${cmd}\")";
+        globalParams.put("cmd", new Property("cmd", Direct.IN, DataType.VARCHAR, cmd));
+        Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> {
+            SwitchTaskUtils.generateContentWithTaskParams(cmdContent, globalParams, varParams);
+        });
+
+        String contentWithUnicode =
+                "\\\\u006a\\\\u0061\\\\u0076\\\\u0061\\\\u002e\\\\u006c\\\\u0061\\\\u006e\\\\u0067\\\\u002e\\\\u0052\\\\u0075\\\\u006e\\\\u0074\\\\u0069\\\\u006d\\\\u0065.getRuntime().exec(\\\"open -a Calculator.app\\";
+        Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> {
+            SwitchTaskUtils.generateContentWithTaskParams(contentWithUnicode, globalParams, varParams);
+        });
+
    }
 }