(seatunnel-web) branch main updated: [Hotfix] Fix arbitrary file readvulnerability on mysql jdbc (#166)

Tue, 11 Jun 2024 22:44:39 -0700 

This is an automated email from the ASF dual-hosted git repository.

wanghailin pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/seatunnel-web.git


The following commit(s) were added to refs/heads/main by this push:
     new ee307730 [Hotfix] Fix arbitrary file readvulnerability on mysql jdbc 
(#166)
ee307730 is described below

commit ee3077305695c42b145130b7cb6546fe2616256b
Author: hailin0 <wanghai...@apache.org>
AuthorDate: Wed Jun 12 13:44:30 2024 +0800

    [Hotfix] Fix arbitrary file readvulnerability on mysql jdbc (#166)
    
    * [Hotfix] Fix arbitrary file readvulnerability on mysql jdbc
    
    link
    
https://github.com/apache/security-site/commit/5a193b7e29dc616d019784ca9fbf1671f3f0b4d2
    
    * fix
---
 .../plugin/mysql/jdbc/MysqlJdbcDataSourceChannel.java       | 13 +++++++++----
 tools/dependencies/known-dependencies.txt                   |  1 +
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git 
a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-mysql/src/main/java/org/apache/seatunnel/datasource/plugin/mysql/jdbc/MysqlJdbcDataSourceChannel.java
 
b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-mysql/src/main/java/org/apache/seatunnel/datasource/plugin/mysql/jdbc/MysqlJdbcDataSourceChannel.java
index 78a7f62e..24e863b2 100644
--- 
a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-mysql/src/main/java/org/apache/seatunnel/datasource/plugin/mysql/jdbc/MysqlJdbcDataSourceChannel.java
+++ 
b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-mysql/src/main/java/org/apache/seatunnel/datasource/plugin/mysql/jdbc/MysqlJdbcDataSourceChannel.java
@@ -36,6 +36,7 @@ import java.sql.SQLException;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.Properties;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 
@@ -187,11 +188,15 @@ public class MysqlJdbcDataSourceChannel implements 
DataSourceChannel {
         String url =
                 JdbcUtils.replaceDatabase(
                         requestParams.get(MysqlOptionRule.URL.key()), 
databaseName);
+
+        Properties info = new java.util.Properties();
+        info.put("autoDeserialize", "false");
+        info.put("allowLoadLocalInfile", "false");
+        info.put("allowLoadLocalInfileInPath", "");
         if (requestParams.containsKey(MysqlOptionRule.USER.key())) {
-            String username = requestParams.get(MysqlOptionRule.USER.key());
-            String password = 
requestParams.get(MysqlOptionRule.PASSWORD.key());
-            return DriverManager.getConnection(url, username, password);
+            info.put("user", requestParams.get(MysqlOptionRule.USER.key()));
+            info.put("password", 
requestParams.get(MysqlOptionRule.PASSWORD.key()));
         }
-        return DriverManager.getConnection(url);
+        return DriverManager.getConnection(url, info);
     }
 }
diff --git a/tools/dependencies/known-dependencies.txt 
b/tools/dependencies/known-dependencies.txt
index af5428be..1387d780 100644
--- a/tools/dependencies/known-dependencies.txt
+++ b/tools/dependencies/known-dependencies.txt
@@ -5,6 +5,7 @@ commons-collections4-4.4.jar
 commons-codec-1.13.jar
 commons-io-2.11.0.jar
 config-1.3.3.jar
+db2jcc-db2jcc4.jar
 gson-2.8.6.jar
 guava-19.0.jar
 hibernate-validator-6.2.2.Final.jar

Reply via email to