Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
apache
DolphinScheduler
提交
5811b84f
DolphinScheduler
项目概览
apache
/
DolphinScheduler
上一次同步 接近 2 年
通知
707
Star
9572
Fork
3514
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
DolphinScheduler
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
未验证
提交
5811b84f
编写于
9月 16, 2022
作者:
K
kezhenxu94
提交者:
GitHub
9月 16, 2022
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Add validations of possible malicious keys (#11966)
上级
4ad34483
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
19 addition
and
2 deletion
+19
-2
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java
...atasource/api/datasource/AbstractDataSourceProcessor.java
+10
-1
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/test/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessorTest.java
...ource/api/datasource/AbstractDataSourceProcessorTest.java
+9
-1
未找到文件。
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java
浏览文件 @
5811b84f
...
...
@@ -26,8 +26,11 @@ import org.apache.commons.collections4.MapUtils;
import
java.text.MessageFormat
;
import
java.util.Map
;
import
java.util.Set
;
import
java.util.regex.Pattern
;
import
com.google.common.collect.Sets
;
public
abstract
class
AbstractDataSourceProcessor
implements
DataSourceProcessor
{
private
static
final
Pattern
IPV4_PATTERN
=
Pattern
.
compile
(
"^[a-zA-Z0-9\\_\\-\\.\\,]+$"
);
...
...
@@ -38,6 +41,8 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor
private
static
final
Pattern
PARAMS_PATTER
=
Pattern
.
compile
(
"^[a-zA-Z0-9\\-\\_\\/\\@\\.]+$"
);
private
static
final
Set
<
String
>
POSSIBLE_MALICIOUS_KEYS
=
Sets
.
newHashSet
(
"allowLoadLocalInfile"
);
@Override
public
void
checkDatasourceParam
(
BaseDataSourceParamDTO
baseDataSourceParamDTO
)
{
checkHost
(
baseDataSourceParamDTO
.
getHost
());
...
...
@@ -76,6 +81,9 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor
if
(
MapUtils
.
isEmpty
(
other
))
{
return
;
}
if
(!
Sets
.
intersection
(
other
.
keySet
(),
POSSIBLE_MALICIOUS_KEYS
).
isEmpty
())
{
throw
new
IllegalArgumentException
(
"Other params include possible malicious keys."
);
}
boolean
paramsCheck
=
other
.
entrySet
().
stream
().
allMatch
(
p
->
PARAMS_PATTER
.
matcher
(
p
.
getValue
()).
matches
());
if
(!
paramsCheck
)
{
throw
new
IllegalArgumentException
(
"datasource other params illegal"
);
...
...
@@ -85,6 +93,7 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor
@Override
public
String
getDatasourceUniqueId
(
ConnectionParam
connectionParam
,
DbType
dbType
)
{
BaseConnectionParam
baseConnectionParam
=
(
BaseConnectionParam
)
connectionParam
;
return
MessageFormat
.
format
(
"{0}@{1}@{2}@{3}"
,
dbType
.
getDescp
(),
baseConnectionParam
.
getUser
(),
PasswordUtils
.
encodePassword
(
baseConnectionParam
.
getPassword
()),
baseConnectionParam
.
getJdbcUrl
());
return
MessageFormat
.
format
(
"{0}@{1}@{2}@{3}"
,
dbType
.
getDescp
(),
baseConnectionParam
.
getUser
(),
PasswordUtils
.
encodePassword
(
baseConnectionParam
.
getPassword
()),
baseConnectionParam
.
getJdbcUrl
());
}
}
dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/test/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessorTest.java
浏览文件 @
5811b84f
...
...
@@ -43,4 +43,12 @@ public class AbstractDataSourceProcessorTest {
other
.
put
(
"arg0"
,
"%"
);
doThrow
(
new
IllegalArgumentException
()).
when
(
mockDataSourceProcessor
).
checkOther
(
other
);
}
}
\ No newline at end of file
@Test
public
void
shouldNotIncludeMaliciousParams
()
{
AbstractDataSourceProcessor
mockDataSourceProcessor
=
mock
(
AbstractDataSourceProcessor
.
class
);
Map
<
String
,
String
>
other
=
new
HashMap
<>();
other
.
put
(
"allowLoadLocalInfile"
,
"whatever"
);
doThrow
(
new
IllegalArgumentException
()).
when
(
mockDataSourceProcessor
).
checkOther
(
other
);
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录