From 9560905a60b885d0dc41ff506a244342989398e7 Mon Sep 17 00:00:00 2001 From: Le1a <97610822+Le1a@users.noreply.github.com> Date: Wed, 4 Sep 2024 14:47:36 +0800 Subject: [PATCH] Add security check for jdbc url in SecurityUtils.java (#5164) * Add security check for jdbc url in SecurityUtils.java * Update SecurityUtils.java * Update SecurityUtils.java --- .../linkis/common/utils/SecurityUtils.java | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java b/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java index af163a6494..c08d16b529 100644 --- a/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java +++ b/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java @@ -79,6 +79,9 @@ public abstract class SecurityUtils { private static final String JDBC_MYSQL_PROTOCOL = "jdbc:mysql"; + private static final String BLACKLIST_REGEX = + "autodeserialize|allowloadlocalinfile|allowurlinlocalinfile|allowloadlocalinfileinpath"; + /** * check mysql connection params * @@ -118,6 +121,10 @@ public static void checkJdbcConnParams( // 3. Check params. Mainly vulnerability parameters. Note the url encoding checkParams(extraParams); + + // 4. Check url security, especially for the possibility of malicious characters appearing on + // the host + checkUrlIsSafe(url); } /** @param url */ @@ -283,6 +290,35 @@ private static void checkParams(Map paramsMap) { } } + /** + * check url is safe + * + * @param url + */ + public static void checkUrlIsSafe(String url) { + try { + String lowercaseURL = url.toLowerCase(); + + Pattern pattern = Pattern.compile(BLACKLIST_REGEX); + Matcher matcher = pattern.matcher(lowercaseURL); + + StringBuilder foundKeywords = new StringBuilder(); + while (matcher.find()) { + if (foundKeywords.length() > 0) { + foundKeywords.append(", "); + } + foundKeywords.append(matcher.group()); + } + + if (foundKeywords.length() > 0) { + throw new LinkisSecurityException( + 35000, "url contains blacklisted characters: " + foundKeywords); + } + } catch (Exception e) { + throw new LinkisSecurityException(35000, "error occurred during url security check: " + e); + } + } + private static Map parseMysqlUrlParamsToMap(String paramsUrl) { if (StringUtils.isBlank(paramsUrl)) { return new LinkedHashMap<>();