This is an automated email from the ASF dual-hosted git repository.
casion pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/linkis.git
The following commit(s) were added to refs/heads/master by this push:
new 7f3bf7e95f Add urlencode check for jdbc url in SecurityUtils.java and
fix password leak in HiveUtils.java (#5261)
7f3bf7e95f is described below
commit 7f3bf7e95f1314a142369bfb6803a882ef5500b7
Author: Le1a <[email protected]>
AuthorDate: Mon Sep 22 16:57:29 2025 +0800
Add urlencode check for jdbc url in SecurityUtils.java and fix password
leak in HiveUtils.java (#5261)
---
.../java/org/apache/linkis/common/utils/SecurityUtils.java | 13 +++++++++++++
.../java/org/apache/linkis/metadata/util/HiveUtils.java | 2 +-
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git
a/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
b/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
index c08d16b529..6716fc9395 100644
---
a/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
+++
b/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
@@ -124,6 +124,19 @@ public abstract class SecurityUtils {
// 4. Check url security, especially for the possibility of malicious
characters appearing on
// the host
+ try {
+ while (url.contains("%")) {
+ String decodedUrl = URLDecoder.decode(url, "UTF-8");
+ if (decodedUrl.equals(url)) {
+ // If the decomposition is the same as the original, avoid infinite
loop
+ break;
+ }
+ url = decodedUrl;
+ }
+ } catch (UnsupportedEncodingException e) {
+ logger.error("URL decode failed: {}", e.getMessage());
+ throw new LinkisSecurityException(35001, "URL decode failed.");
+ }
checkUrlIsSafe(url);
}
diff --git
a/linkis-public-enhancements/linkis-datasource/linkis-metadata/src/main/java/org/apache/linkis/metadata/util/HiveUtils.java
b/linkis-public-enhancements/linkis-datasource/linkis-metadata/src/main/java/org/apache/linkis/metadata/util/HiveUtils.java
index c85f96d91b..d2b8c45d0c 100644
---
a/linkis-public-enhancements/linkis-datasource/linkis-metadata/src/main/java/org/apache/linkis/metadata/util/HiveUtils.java
+++
b/linkis-public-enhancements/linkis-datasource/linkis-metadata/src/main/java/org/apache/linkis/metadata/util/HiveUtils.java
@@ -49,7 +49,7 @@ public class HiveUtils {
try {
res = new String(decoder.decode(str));
} catch (Throwable e) {
- logger.error(str + " decode failed", e);
+ logger.error("decode failed", e);
}
return res;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
