Thanks, I have no other problem, thanks a lot. It seems we have multiple CVEs caused by this.
On Wed, Nov 29, 2023 at 10:27 AM Snakinya <[email protected]> wrote: > Hi, > > On the first picture, I set the database name to `test`,not `test?`. > > The second picture just need the project code ,and I put my code in it. > > Decode the input param and check if there exist `allowLoadLocalInfile` can > solve this problem. > > if you still have questions, please let me know. > > Best regards, > > Snakinya > > > > wenjun <[email protected]> 于2023年11月24日周五 00:20写道: > >> Hi Zhiwei, >> >> Thanks for reporting this issue, could you please provide more detail >> about how to reproduce this problem? >> >> I have read the pdf file. >> >> On the first picture, you set the database name to `test?`, in fact the >> `?` will no be acceptted, we will throw exception when the database name >> contains `?`. Which DS version are you using? >> >> On the second picture, I cannot reproduce this problem by using below code >> ``` >> String url = "jdbc:mysql://localhost:3306/? >> >> %61%6c%6c%6f%77%4c%6f%61%64%4c%6f%63%61%6c%49%6e%66%69%6c%65=true&user=fileread_/etc/passwd#&allowLoadLocalInfile=false&autoDeserialize=false&allowLocalInfile=false&allowUrlInLocalInfile=false"; >> DriverManager.getConnection(url, "root", "root@123"); >> ``` >> >> Am I missing something? >> >> I use mysql 8.0.29, mysql-connector-java 8.0.28. >> >> And I have search some doc about this issue, find the key point is that >> user can skip the check of `allowLoadLocalInfile` by encoding this word, so >> if we decode the input param and check if there exist >> `allowLoadLocalInfile` can we solve this problem? >> >> >> On Thu, Nov 23, 2023 at 5:39 PM David Zollo <[email protected]> >> wrote: >> >>> After careful consideration, I agree with what you guys said. I agree >>> with you that we should indeedly separate login verification >>> permissions from the dangerous operations that users on the login UI >>> can do. I will apply for a CVE no. >>> Thank you for correcting me. >>> >>> >>> >>> Best Regards >>> >>> --------------- >>> Apache DolphinScheduler PMC Chair & Apache SeaTunnel PMC member >>> David >>> Linkedin: https://www.linkedin.com/in/davidzollo >>> Twitter: @WorkflowEasy >>> --------------- >>> >>> On Thu, Nov 23, 2023 at 1:02 PM kezhenxu94 <[email protected]> >>> wrote: >>> > >>> > Hi, it's ridiculous that you consider it not a vulnerability, >>> > it's obviously a vulnerability that needs to be taken seriously. >>> > >>> > MySQL providing such a feature doesn't mean it's safe all the time, >>> > the typical usages of MySQL are backend servers where developers >>> > compose and hardcode the connection string carefully, but in >>> DolphinScheduler >>> > the connection string can be provided by users, and potential >>> malicious users. >>> > >>> > Also, authentication is different from authorization, an authenticated >>> user >>> > can't necessarily do everything in the system, they can only get >>> access to >>> > what is allowed according to the authorization, in another word, an >>> authenticated >>> > user can submit scheduling jobs, but they should not be allowed to >>> read the file `/etc/passwd`, >>> > which in turn allows them to log into the machine, etc. >>> > >>> > I urge you take the report seriously and don't ignore this, I believe >>> it's >>> > a critical vulnerability. >>> > >>> > > On Nov 3, 2023, at 10:56, David Zollo <[email protected]> >>> wrote: >>> > > >>> > > Hi zhiwei, >>> > > >>> > > I don't think this is a vulnerability in DolphinScheduler. DS has a >>> > > login authentication mechanism, and the operation shown in the >>> > > attachment requires prior login to the system. Internal users might >>> > > need this MySQL read file operation, as otherwise why would MySQL >>> > > provide such a feature? In fact, I've never seen any users perform >>> > > this operation." >>> > > >>> > > >>> > > >>> > > Best Regards >>> > > >>> > > --------------- >>> > > Apache DolphinScheduler PMC Chair & Apache SeaTunnel PMC member >>> > > David >>> > > Linkedin: https://www.linkedin.com/in/davidzollo >>> > > Twitter: @WorkflowEasy >>> > > --------------- >>> > > >>> > > On Wed, Aug 30, 2023 at 3:13 PM Apache Security Team >>> > > <[email protected]> wrote: >>> > >> >>> > >> Dear PMC, >>> > >> >>> > >> The security vulnerability report has been received by the Apache >>> > >> Security Team and is being passed to you for action. >>> > >> >>> > >> Please take careful note of the following: >>> > >> - This information is private and should be treated accordingly. The >>> > >> issue must not be discussed on a public mailing list, it must not be >>> > >> added to a public bug tracker, etc. >>> > >> - The PMC is responsible for resolving this issue. The security >>> > >> team is here to provide help and advice but the responsibility to >>> do the >>> > >> work lies with the PMC. >>> > >> >>> > >> You may find the "ASF Project Security for Committers" [1] a useful >>> > >> reference. This e-mail represents step three of that process. Step 4 >>> > >> should be completed asap. >>> > >> >>> > >> Regards, >>> > >> >>> > >> [1] http://www.apache.org/security/committers.html >>> > >> >>> > >> >>> > >> ---------- Forwarded message --------- >>> > >> From: zhiwei lin <[email protected]> >>> > >> Date: Tue, Aug 29, 2023 at 6:51 PM >>> > >> Subject: Re: Apache DolphinScheduler has an Arbitrary File Read >>> Vulnerability >>> > >> To: Apache Security Team <[email protected]> >>> > >> >>> > >> >>> > >> There is the report >>> > >> >>> > >> zhiwei lin <[email protected]> 于2023年8月30日周三 00:49写道: >>> > >>> >>> > >>> Hi, >>> > >>> I hope this email finds you well. I am writing to report a >>> potential security vulnerability that I have discovered in Apache >>> DolphinScheduler's latest version. I believe it is crucial to bring this to >>> your attention promptly to ensure the protection of your sensitive >>> information and the security of your infrastructure. >>> > >>> >>> > >>> Snakinya(https://github.com/Snakinya) >>> > >>> >>
