[inlong] branch master updated: [INLONG-5881][Manager] Fix the vulnerability for the MySQL JDBC URL (addendum) (#5893)

healchow Wed, 14 Sep 2022 05:21:09 -0700

This is an automated email from the ASF dual-hosted git repository.

healchow pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/inlong.git



The following commit(s) were added to refs/heads/master by this push:
     new 0c2e9fe83 [INLONG-5881][Manager] Fix the vulnerability for the MySQL 
JDBC URL (addendum) (#5893)
0c2e9fe83 is described below

commit 0c2e9fe8376e52c754d9932542014632d326a48a
Author: healchow <healc...@gmail.com>
AuthorDate: Wed Sep 14 20:20:42 2022 +0800

    [INLONG-5881][Manager] Fix the vulnerability for the MySQL JDBC URL 
(addendum) (#5893)
---
 .../manager/pojo/sink/mysql/MySQLSinkDTO.java      | 24 ++++++++--------------
 .../manager/pojo/sink/mysql/MySQLSinkDTOTest.java  | 17 +++++++--------
 2 files changed, 15 insertions(+), 26 deletions(-)

diff --git 
a/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
 
b/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
index 070456809..e2f206212 100644
--- 
a/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
+++ 
b/inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTO.java
@@ -45,13 +45,11 @@ import java.util.Map;
 @AllArgsConstructor
 public class MySQLSinkDTO {
 
-    @VisibleForTesting
-    protected static final char SYMBOL = '&';
     /**
      * The sensitive param may lead the attack.
      */
-    @VisibleForTesting
-    protected static final String SENSITIVE_PARAM = "autoDeserialize=true";
+    private static final String SENSITIVE_PARAM_TRUE = "autoDeserialize=true";
+    private static final String SENSITIVE_PARAM_FALSE = 
"autoDeserialize=false";
     private static final ObjectMapper OBJECT_MAPPER = new ObjectMapper();
     private static final Logger LOGGER = 
LoggerFactory.getLogger(MySQLSinkDTO.class);
 
@@ -181,23 +179,17 @@ public class MySQLSinkDTO {
      */
     @VisibleForTesting
     protected static String filterSensitive(String url) {
-        if (StringUtils.isBlank(url) || !url.contains(SENSITIVE_PARAM)) {
-            LOGGER.info("string was empty or not contains sensitive for [{}]", 
url);
+        if (StringUtils.isBlank(url)) {
             return url;
         }
 
-        String originUrl = url;
-        int index = url.indexOf(SENSITIVE_PARAM);
-        String tmp = SENSITIVE_PARAM;
-        if (index == 0) {
-            tmp = tmp + SYMBOL;
-        } else if (url.charAt(index - 1) == SYMBOL) {
-            tmp = SYMBOL + tmp;
+        String resultUrl = url;
+        if (StringUtils.containsIgnoreCase(url, SENSITIVE_PARAM_TRUE)) {
+            resultUrl = StringUtils.replaceIgnoreCase(url, 
SENSITIVE_PARAM_TRUE, SENSITIVE_PARAM_FALSE);
         }
 
-        url = url.replace(tmp, "");
-        LOGGER.debug("the origin url [{}] was filter to: [{}]", originUrl, 
url);
-        return url;
+        LOGGER.debug("the origin url [{}] was replaced to: [{}]", url, 
resultUrl);
+        return resultUrl;
     }
 
 }
diff --git 
a/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
 
b/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
index fabd6842d..82d6129b4 100644
--- 
a/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
+++ 
b/inlong-manager/manager-pojo/src/test/java/org/apache/inlong/manager/pojo/sink/mysql/MySQLSinkDTOTest.java
@@ -20,28 +20,25 @@ package org.apache.inlong.manager.pojo.sink.mysql;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
 
-import static 
org.apache.inlong.manager.pojo.sink.mysql.MySQLSinkDTO.SENSITIVE_PARAM;
-import static org.apache.inlong.manager.pojo.sink.mysql.MySQLSinkDTO.SYMBOL;
-
 /**
  * Test for {@link MySQLSinkDTO}
  */
 public class MySQLSinkDTOTest {
 
     @Test
-    public void testFilterOther() {
+    public void testFilterSensitive() {
         // the sensitive params at the first
-        String originUrl = MySQLSinkDTO.filterSensitive(SENSITIVE_PARAM + 
SYMBOL + "autoReconnect=true");
-        Assertions.assertEquals("autoReconnect=true", originUrl);
+        String originUrl = 
MySQLSinkDTO.filterSensitive("autoDeserialize=TRue&autoReconnect=true");
+        Assertions.assertEquals("autoDeserialize=false&autoReconnect=true", 
originUrl);
 
         // the sensitive params at the end
-        originUrl = MySQLSinkDTO.filterSensitive("autoReconnect=true" + SYMBOL 
+ SENSITIVE_PARAM);
-        Assertions.assertEquals("autoReconnect=true", originUrl);
+        originUrl = 
MySQLSinkDTO.filterSensitive("autoReconnect=true&autoDeserialize=trUE");
+        Assertions.assertEquals("autoReconnect=true&autoDeserialize=false", 
originUrl);
 
         // the sensitive params in the middle
         originUrl = MySQLSinkDTO.filterSensitive(
-                "useSSL=false" + SYMBOL + SENSITIVE_PARAM + SYMBOL + 
"autoReconnect=true");
-        Assertions.assertEquals("useSSL=false" + SYMBOL + 
"autoReconnect=true", originUrl);
+                "useSSL=false&autoDeserialize=TRUE&autoReconnect=true");
+        
Assertions.assertEquals("useSSL=false&autoDeserialize=false&autoReconnect=true",
 originUrl);
     }
 
 }

[inlong] branch master updated: [INLONG-5881][Manager] Fix the vulnerability for the MySQL JDBC URL (addendum) (#5893)

Reply via email to