This is an automated email from the ASF dual-hosted git repository.
peacewong pushed a commit to branch dev-1.3.1
in repository https://gitbox.apache.org/repos/asf/linkis.git
The following commit(s) were added to refs/heads/dev-1.3.1 by this push:
new 8e804ff2e deal with url encode (#4113)
8e804ff2e is described below
commit 8e804ff2e3c2ef55b92a206c38b6a9925f466670
Author: aiceflower <[email protected]>
AuthorDate: Thu Jan 12 20:22:50 2023 +0800
deal with url encode (#4113)
---
.../apache/linkis/common/utils/SecurityUtils.java | 20 +++++++++++++++++++
.../linkis/common/utils/SecurityUtilsTest.java | 23 ++++++++++++++++++++++
2 files changed, 43 insertions(+)
diff --git
a/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
b/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
index 5333b2432..f7158b489 100644
---
a/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
+++
b/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
@@ -23,6 +23,8 @@ import
org.apache.linkis.common.exception.LinkisSecurityException;
import org.apache.commons.lang3.StringUtils;
+import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
@@ -93,6 +95,12 @@ public abstract class SecurityUtils {
if (StringUtils.isBlank(url)) {
throw new LinkisSecurityException(35000, "Invalid mysql connection cul,
url is empty");
}
+ // deal with url encode
+ try {
+ url = URLDecoder.decode(url, "UTF-8");
+ } catch (UnsupportedEncodingException e) {
+ throw new LinkisSecurityException(35000, "mysql connection cul decode
error: " + e);
+ }
if (url.endsWith(QUESTION_MARK) || !url.contains(QUESTION_MARK)) {
logger.info("checkJdbcSecurity target url: {}", url);
return url;
@@ -126,6 +134,18 @@ public abstract class SecurityUtils {
return paramsMap;
}
+ // deal with url encode
+ String paramUrl = parseParamsMapToMysqlParamUrl(paramsMap);
+ try {
+ paramUrl = URLDecoder.decode(paramUrl, "UTF-8");
+ } catch (UnsupportedEncodingException e) {
+ throw new LinkisSecurityException(35000, "mysql connection cul decode
error: " + e);
+ }
+
+ Map<String, Object> newParamsMap = parseMysqlUrlParamsToMap(paramUrl);
+ paramsMap.clear();
+ paramsMap.putAll(newParamsMap);
+
Iterator<Map.Entry<String, Object>> iterator =
paramsMap.entrySet().iterator();
while (iterator.hasNext()) {
Map.Entry<String, Object> entry = iterator.next();
diff --git
a/linkis-commons/linkis-common/src/test/java/org/apache/linkis/common/utils/SecurityUtilsTest.java
b/linkis-commons/linkis-common/src/test/java/org/apache/linkis/common/utils/SecurityUtilsTest.java
index 9d4893e46..4fdca7b82 100644
---
a/linkis-commons/linkis-common/src/test/java/org/apache/linkis/common/utils/SecurityUtilsTest.java
+++
b/linkis-commons/linkis-common/src/test/java/org/apache/linkis/common/utils/SecurityUtilsTest.java
@@ -91,6 +91,15 @@ public class SecurityUtilsTest {
SecurityUtils.checkJdbcSecurity(atomUrl.get());
});
+ // url encode
+ url = "jdbc:mysql://127.0.0.1:10000/db_name?allowLocalInfil%65=true";
+ atomUrl.set(url);
+ Assertions.assertThrows(
+ LinkisSecurityException.class,
+ () -> {
+ SecurityUtils.checkJdbcSecurity(atomUrl.get());
+ });
+
// value is not security
url = "jdbc:mysql://127.0.0.1:10000/db_name?p1=allowLocalInfile";
atomUrl.set(url);
@@ -117,6 +126,11 @@ public class SecurityUtilsTest {
Map<String, Object> newMap = SecurityUtils.checkJdbcSecurity(paramsMap);
Assertions.assertEquals("v1", newMap.get("p1"));
+ // key not security
+ paramsMap.put("allowLocalInfil%67", "true");
+ SecurityUtils.checkJdbcSecurity(paramsMap);
+ Assertions.assertEquals("true", newMap.get("allowLocalInfilg"));
+
// key not security
paramsMap.put("allowLocalInfile", "false");
Assertions.assertThrows(
@@ -134,6 +148,15 @@ public class SecurityUtilsTest {
SecurityUtils.checkJdbcSecurity(paramsMap);
});
+ // value not security
+ paramsMap.clear();
+ paramsMap.put("p1", "allowLocalInfil%65");
+ Assertions.assertThrows(
+ LinkisSecurityException.class,
+ () -> {
+ SecurityUtils.checkJdbcSecurity(paramsMap);
+ });
+
// contains #
paramsMap.clear();
paramsMap.put("p1#", "v1");
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
