Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

branch-2.1: [Fix](http)Enhanced Security Checks for Audit Log File Names #44612 #44833

Merged
merged 1 commit into from
Dec 2, 2024
Merged

branch-2.1: [Fix](http)Enhanced Security Checks for Audit Log File Names #44612 #44833

merged 1 commit into from
Dec 2, 2024

Conversation

github-actions[bot]
Copy link
Contributor

@github-actions github-actions bot commented Dec 2, 2024

Cherry-picked from #44612

@CalvinKirs
[Fix](http)Enhanced Security Checks for Audit Log File Names (#44612)
3c17254 
## Purpose:

To improve the security of audit log files, a new method
checkAuditLogFileName has been added to validate the file name and path
to ensure they meet security requirements. This method is designed to
prevent invalid file names and path traversal attacks, ensuring that
only files within the designated directory can be accessed.↳

### Changes:

#### File Name Validation:

A regular expression check has been added to validate the file name:
^[a-zA-Z0-9._-]+$, restricting the file name to letters, numbers, dots,
underscores, and hyphens.

If the file name contains invalid characters (e.g., spaces, path
traversal characters), a SecurityException is thrown with the message
“Invalid file name.”
Path Validation:

The file name is resolved into a normalized path, and it is checked to
ensure that it is within the allowed directory.

The path is constructed using
Paths.get(Config.audit_log_dir).resolve(logFile).normalize(). If the
path does not start with the specified audit log directory
(Config.audit_log_dir), indicating an attempt to access outside the
permitted directory (e.g., a path traversal attack), a SecurityException
is thrown with the message “Invalid file path: Access outside of
permitted directory.”
@doris-robot
Copy link

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@dataroaring dataroaring closed this Dec 2, 2024
@dataroaring dataroaring reopened this Dec 2, 2024
@doris-robot
Copy link

run buildall

@yiguolei yiguolei merged commit 54e2249 into branch-2.1 Dec 2, 2024
18 of 19 checks passed
@github-actions github-actions bot deleted the auto-pick-44612-branch-2.1 branch December 2, 2024 06:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@doris-robot @yiguolei @dataroaring @CalvinKirs