From 3768a388920f988c19daf450408aedb1d7757060 Mon Sep 17 00:00:00 2001 From: hailin0 Date: Wed, 12 Jun 2024 14:22:44 +0800 Subject: [PATCH] [Hotfix] Fix arbitrary file readvulnerability on mysql jdbc(starrocks/tidb) link https://github.com/apache/security-site/commit/5a193b7e29dc616d019784ca9fbf1671f3f0b4d2 --- .../jdbc/StarRocksJdbcDataSourceChannel.java | 13 +++++++++---- .../tidb/jdbc/TidbJdbcDataSourceChannel.java | 12 ++++++++---- .../plugin/starrocks/StarRocksCatalog.java | 19 +++++++++++++++---- 3 files changed, 32 insertions(+), 12 deletions(-) diff --git a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-starrocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/jdbc/StarRocksJdbcDataSourceChannel.java b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-starrocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/jdbc/StarRocksJdbcDataSourceChannel.java index 271653388..b8b8f5e5a 100644 --- a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-starrocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/jdbc/StarRocksJdbcDataSourceChannel.java +++ b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-starrocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/jdbc/StarRocksJdbcDataSourceChannel.java @@ -36,6 +36,7 @@ import java.util.ArrayList; import java.util.List; import java.util.Map; +import java.util.Properties; import static com.google.common.base.Preconditions.checkNotNull; @@ -169,11 +170,15 @@ private Connection getConnection(Map requestParams, String datab String url = JdbcUtils.replaceDatabase( requestParams.get(StarRocksOptionRule.URL.key()), databaseName); + + Properties info = new java.util.Properties(); + info.put("autoDeserialize", "false"); + info.put("allowLoadLocalInfile", "false"); + info.put("allowLoadLocalInfileInPath", ""); if (requestParams.containsKey(StarRocksOptionRule.USER.key())) { - String username = requestParams.get(StarRocksOptionRule.USER.key()); - String password = requestParams.get(StarRocksOptionRule.PASSWORD.key()); - return DriverManager.getConnection(url, username, password); + info.put("user", requestParams.get(StarRocksOptionRule.USER.key())); + info.put("password", requestParams.get(StarRocksOptionRule.PASSWORD.key())); } - return DriverManager.getConnection(url); + return DriverManager.getConnection(url, info); } } diff --git a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-tidb/src/main/java/org/apache/seatunnel/datasource/plugin/tidb/jdbc/TidbJdbcDataSourceChannel.java b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-tidb/src/main/java/org/apache/seatunnel/datasource/plugin/tidb/jdbc/TidbJdbcDataSourceChannel.java index 90f929370..59a09ee97 100644 --- a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-tidb/src/main/java/org/apache/seatunnel/datasource/plugin/tidb/jdbc/TidbJdbcDataSourceChannel.java +++ b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-tidb/src/main/java/org/apache/seatunnel/datasource/plugin/tidb/jdbc/TidbJdbcDataSourceChannel.java @@ -36,6 +36,7 @@ import java.util.ArrayList; import java.util.List; import java.util.Map; +import java.util.Properties; import java.util.function.Function; import java.util.stream.Collectors; @@ -176,11 +177,14 @@ private Connection getConnection(Map requestParams, String datab String url = JdbcUtils.replaceDatabase( requestParams.get(TidbOptionRule.URL.key()), databaseName); + Properties info = new java.util.Properties(); + info.put("autoDeserialize", "false"); + info.put("allowLoadLocalInfile", "false"); + info.put("allowLoadLocalInfileInPath", ""); if (requestParams.containsKey(TidbOptionRule.USER.key())) { - String username = requestParams.get(TidbOptionRule.USER.key()); - String password = requestParams.get(TidbOptionRule.PASSWORD.key()); - return DriverManager.getConnection(url, username, password); + info.put("user", requestParams.get(TidbOptionRule.USER.key())); + info.put("password", requestParams.get(TidbOptionRule.PASSWORD.key())); } - return DriverManager.getConnection(url); + return DriverManager.getConnection(url, info); } } diff --git a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-starrocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/StarRocksCatalog.java b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-starrocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/StarRocksCatalog.java index 4acc43e60..14a1e1b40 100644 --- a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-starrocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/StarRocksCatalog.java +++ b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-starrocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/StarRocksCatalog.java @@ -39,6 +39,7 @@ import java.util.HashSet; import java.util.List; import java.util.Optional; +import java.util.Properties; import java.util.Set; import static com.google.common.base.Preconditions.checkArgument; @@ -79,7 +80,7 @@ public StarRocksCatalog(String catalogName, String username, String pwd, String public List listDatabases() throws CatalogException { List databases = new ArrayList<>(); - try (Connection conn = DriverManager.getConnection(defaultUrl, username, pwd); + try (Connection conn = getConnection(defaultUrl); PreparedStatement ps = conn.prepareStatement("SHOW DATABASES;"); ResultSet rs = ps.executeQuery(); ) { @@ -103,7 +104,7 @@ public List listTables(String databaseName) throw new DatabaseNotExistException(this.catalogName, databaseName); } - try (Connection conn = DriverManager.getConnection(baseUrl + databaseName, username, pwd); + try (Connection conn = getConnection(baseUrl + databaseName); PreparedStatement ps = conn.prepareStatement("SHOW TABLES;"); ResultSet rs = ps.executeQuery()) { @@ -127,7 +128,7 @@ public List getTable(TablePath tablePath) } String dbUrl = baseUrl + tablePath.getDatabaseName(); - try (Connection conn = DriverManager.getConnection(dbUrl, username, pwd); + try (Connection conn = getConnection(dbUrl); PreparedStatement statement = conn.prepareStatement( String.format( @@ -178,7 +179,7 @@ public static String splitDefaultUrl(String defaultUrl) { protected Optional getPrimaryKey(String schema, String table) throws SQLException { List pkFields = new ArrayList<>(); - try (Connection conn = DriverManager.getConnection(defaultUrl, username, pwd); + try (Connection conn = getConnection(defaultUrl); PreparedStatement statement = conn.prepareStatement( String.format( @@ -222,4 +223,14 @@ public boolean tableExists(TablePath tablePath) throws CatalogException { return false; } } + + protected Connection getConnection(String url) throws SQLException { + Properties info = new java.util.Properties(); + info.put("autoDeserialize", "false"); + info.put("allowLoadLocalInfile", "false"); + info.put("allowLoadLocalInfileInPath", ""); + info.put("user", username); + info.put("password", pwd); + return DriverManager.getConnection(url, info); + } }