Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
apache
DolphinScheduler
提交
1b700028
DolphinScheduler
项目概览
apache
/
DolphinScheduler
上一次同步 1 年多
通知
704
Star
9572
Fork
3514
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
DolphinScheduler
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
未验证
提交
1b700028
编写于
11月 16, 2022
作者:
W
Wenjun Ruan
提交者:
GitHub
11月 16, 2022
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Script cannot contains ''' in params (#12067) (#12913)
(cherry picked from commit
cb4ef54a
)
上级
920ccb1c
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
32 addition
and
5 deletion
+32
-5
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java
...he/dolphinscheduler/plugin/alert/script/ScriptSender.java
+24
-5
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/test/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSenderTest.java
...olphinscheduler/plugin/alert/script/ScriptSenderTest.java
+8
-0
未找到文件。
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java
浏览文件 @
1b700028
...
...
@@ -18,14 +18,15 @@
package
org.apache.dolphinscheduler.plugin.alert.script
;
import
org.apache.dolphinscheduler.alert.api.AlertResult
;
import
org.apache.dolphinscheduler.spi.utils.StringUtils
;
import
org.slf4j.Logger
;
import
org.slf4j.LoggerFactory
;
import
org.apache.dolphinscheduler.spi.utils.StringUtils
;
import
java.io.File
;
import
java.util.Map
;
public
final
class
ScriptSender
{
private
static
final
Logger
logger
=
LoggerFactory
.
getLogger
(
ScriptSender
.
class
);
private
static
final
String
ALERT_TITLE_OPTION
=
" -t "
;
private
static
final
String
ALERT_CONTENT_OPTION
=
" -c "
;
...
...
@@ -66,22 +67,40 @@ public final class ScriptSender {
alertResult
.
setMessage
(
"shell script not support windows os"
);
return
alertResult
;
}
//validate script path in case of injections
//
validate script path in case of injections
File
shellScriptFile
=
new
File
(
scriptPath
);
//validate existence
//
validate existence
if
(!
shellScriptFile
.
exists
())
{
logger
.
error
(
"shell script not exist : {}"
,
scriptPath
);
alertResult
.
setMessage
(
"shell script not exist : "
+
scriptPath
);
return
alertResult
;
}
//validate is file
//
validate is file
if
(!
shellScriptFile
.
isFile
())
{
logger
.
error
(
"shell script is not a file : {}"
,
scriptPath
);
alertResult
.
setMessage
(
"shell script is not a file : "
+
scriptPath
);
return
alertResult
;
}
String
[]
cmd
=
{
"/bin/sh"
,
"-c"
,
scriptPath
+
ALERT_TITLE_OPTION
+
"'"
+
title
+
"'"
+
ALERT_CONTENT_OPTION
+
"'"
+
content
+
"'"
+
ALERT_USER_PARAMS_OPTION
+
"'"
+
userParams
+
"'"
};
// avoid command injection (RCE vulnerability)
if
(
userParams
.
contains
(
"'"
))
{
logger
.
error
(
"shell script illegal user params : {}"
,
userParams
);
alertResult
.
setMessage
(
"shell script illegal user params : "
+
userParams
);
return
alertResult
;
}
if
(
title
.
contains
(
"'"
))
{
logger
.
error
(
"shell script illegal title : {}"
,
title
);
alertResult
.
setMessage
(
"shell script illegal title : "
+
title
);
return
alertResult
;
}
if
(
content
.
contains
(
"'"
))
{
logger
.
error
(
"shell script illegal content : {}"
,
content
);
alertResult
.
setMessage
(
"shell script illegal content : "
+
content
);
return
alertResult
;
}
String
[]
cmd
=
{
"/bin/sh"
,
"-c"
,
scriptPath
+
ALERT_TITLE_OPTION
+
"'"
+
title
+
"'"
+
ALERT_CONTENT_OPTION
+
"'"
+
content
+
"'"
+
ALERT_USER_PARAMS_OPTION
+
"'"
+
userParams
+
"'"
};
int
exitCode
=
ProcessUtils
.
executeScript
(
cmd
);
if
(
exitCode
==
0
)
{
...
...
dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/test/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSenderTest.java
浏览文件 @
1b700028
...
...
@@ -80,4 +80,12 @@ public class ScriptSenderTest {
Assert
.
assertEquals
(
"false"
,
alertResult
.
getStatus
());
}
@Test
public
void
testScriptSenderInjectionTest
()
{
scriptConfig
.
put
(
ScriptParamsConstants
.
NAME_SCRIPT_USER_PARAMS
,
"' ; calc.exe ; '"
);
ScriptSender
scriptSender
=
new
ScriptSender
(
scriptConfig
);
AlertResult
alertResult
=
scriptSender
.
sendScriptAlert
(
"test title Kris"
,
"test content"
);
Assert
.
assertEquals
(
"false"
,
alertResult
.
getStatus
());
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录