Skip to content

Commit

Permalink
deal with url encode (#4113)
Browse files Browse the repository at this point in the history
  • Loading branch information
aiceflower authored Jan 12, 2023
1 parent a652276 commit 8e804ff
Show file tree
Hide file tree
Showing 2 changed files with 43 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@

import org.apache.commons.lang3.StringUtils;

import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
Expand Down Expand Up @@ -93,6 +95,12 @@ public static String checkJdbcSecurity(String url) {
if (StringUtils.isBlank(url)) {
throw new LinkisSecurityException(35000, "Invalid mysql connection cul, url is empty");
}
// deal with url encode
try {
url = URLDecoder.decode(url, "UTF-8");
} catch (UnsupportedEncodingException e) {
throw new LinkisSecurityException(35000, "mysql connection cul decode error: " + e);
}
if (url.endsWith(QUESTION_MARK) || !url.contains(QUESTION_MARK)) {
logger.info("checkJdbcSecurity target url: {}", url);
return url;
Expand Down Expand Up @@ -126,6 +134,18 @@ public static Map<String, Object> checkJdbcSecurity(Map<String, Object> paramsMa
return paramsMap;
}

// deal with url encode
String paramUrl = parseParamsMapToMysqlParamUrl(paramsMap);
try {
paramUrl = URLDecoder.decode(paramUrl, "UTF-8");
} catch (UnsupportedEncodingException e) {
throw new LinkisSecurityException(35000, "mysql connection cul decode error: " + e);
}

Map<String, Object> newParamsMap = parseMysqlUrlParamsToMap(paramUrl);
paramsMap.clear();
paramsMap.putAll(newParamsMap);

Iterator<Map.Entry<String, Object>> iterator = paramsMap.entrySet().iterator();
while (iterator.hasNext()) {
Map.Entry<String, Object> entry = iterator.next();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -91,6 +91,15 @@ public void testCheckJdbcSecurityUrl() throws Exception {
SecurityUtils.checkJdbcSecurity(atomUrl.get());
});

// url encode
url = "jdbc:mysql://127.0.0.1:10000/db_name?allowLocalInfil%65=true";
atomUrl.set(url);
Assertions.assertThrows(
LinkisSecurityException.class,
() -> {
SecurityUtils.checkJdbcSecurity(atomUrl.get());
});

// value is not security
url = "jdbc:mysql://127.0.0.1:10000/db_name?p1=allowLocalInfile";
atomUrl.set(url);
Expand All @@ -117,6 +126,11 @@ public void testCheckJdbcSecurityParamsMap() throws Exception {
Map<String, Object> newMap = SecurityUtils.checkJdbcSecurity(paramsMap);
Assertions.assertEquals("v1", newMap.get("p1"));

// key not security
paramsMap.put("allowLocalInfil%67", "true");
SecurityUtils.checkJdbcSecurity(paramsMap);
Assertions.assertEquals("true", newMap.get("allowLocalInfilg"));

// key not security
paramsMap.put("allowLocalInfile", "false");
Assertions.assertThrows(
Expand All @@ -134,6 +148,15 @@ public void testCheckJdbcSecurityParamsMap() throws Exception {
SecurityUtils.checkJdbcSecurity(paramsMap);
});

// value not security
paramsMap.clear();
paramsMap.put("p1", "allowLocalInfil%65");
Assertions.assertThrows(
LinkisSecurityException.class,
() -> {
SecurityUtils.checkJdbcSecurity(paramsMap);
});

// contains #
paramsMap.clear();
paramsMap.put("p1#", "v1");
Expand Down

0 comments on commit 8e804ff

Please sign in to comment.