Skip to content

Commit

Permalink
Add security check for jdbc url in SecurityUtils.java
Browse files Browse the repository at this point in the history
  • Loading branch information
Le1a authored Sep 3, 2024
1 parent 5a5a95f commit 49a48f0
Showing 1 changed file with 33 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,8 @@ public abstract class SecurityUtils {

private static final String JDBC_MYSQL_PROTOCOL = "jdbc:mysql";

private static final String BLACKLIST_REGEX = "autodeserialize|allowloadlocalinfile|allowurlinlocalinfile|allowloadlocalinfileinpath";

/**
* check mysql connection params
*
Expand Down Expand Up @@ -118,6 +120,9 @@ public static void checkJdbcConnParams(

// 3. Check params. Mainly vulnerability parameters. Note the url encoding
checkParams(extraParams);

// 4. Check url security, especially for the possibility of malicious characters appearing on the host
checkUrlIsSafe(url);
}

/** @param url */
Expand Down Expand Up @@ -282,6 +287,34 @@ private static void checkParams(Map<String, Object> paramsMap) {
}
}
}

/**
* check url is safe
*
* @param url
*/
public static void checkUrlIsSafe(String url) {
try {
String lowercaseURL = url.toLowerCase();

Pattern pattern = Pattern.compile(BLACKLIST_REGEX);
Matcher matcher = pattern.matcher(lowercaseURL);

StringBuilder foundKeywords = new StringBuilder();
while (matcher.find()) {
if (foundKeywords.length() > 0) {
foundKeywords.append(", ");
}
foundKeywords.append(matcher.group());
}

if (foundKeywords.length() > 0) {
throw new LinkisSecurityException(35000, "url contains blacklisted characters: " + foundKeywords);
}
} catch (Exception e) {
throw new LinkisSecurityException(35000, "error occurred during url security check: " + e);
}
}

private static Map<String, Object> parseMysqlUrlParamsToMap(String paramsUrl) {
if (StringUtils.isBlank(paramsUrl)) {
Expand Down

0 comments on commit 49a48f0

Please sign in to comment.