This is an automated email from the ASF dual-hosted git repository.
wanghailin pushed a commit to branch main-fix-starrocks
in repository https://gitbox.apache.org/repos/asf/seatunnel-web.git
commit 3768a388920f988c19daf450408aedb1d7757060
Author: hailin0 <wanghai...@apache.org>
AuthorDate: Wed Jun 12 14:22:44 2024 +0800
[Hotfix] Fix arbitrary file readvulnerability on mysql jdbc(starrocks/tidb)
link
https://github.com/apache/security-site/commit/5a193b7e29dc616d019784ca9fbf1671f3f0b4d2
---
.../jdbc/StarRocksJdbcDataSourceChannel.java | 13 +++++++++----
.../plugin/tidb/jdbc/TidbJdbcDataSourceChannel.java | 12 ++++++++----
.../datasource/plugin/starrocks/StarRocksCatalog.java | 19 +++++++++++++++----
3 files changed, 32 insertions(+), 12 deletions(-)
diff --git
a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-starrocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/jdbc/StarRocksJdbcDataSourceChannel.java
b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-starrocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/jdbc/StarRocksJdbcDataSourceChannel.java
index 27165338..b8b8f5e5 100644
---
a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-starrocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/jdbc/StarRocksJdbcDataSourceChannel.java
+++
b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-starrocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/jdbc/StarRocksJdbcDataSourceChannel.java
@@ -36,6 +36,7 @@ import java.sql.SQLException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
+import java.util.Properties;
import static com.google.common.base.Preconditions.checkNotNull;
@@ -169,11 +170,15 @@ public class StarRocksJdbcDataSourceChannel implements
DataSourceChannel {
String url =
JdbcUtils.replaceDatabase(
requestParams.get(StarRocksOptionRule.URL.key()),
databaseName);
+
+ Properties info = new java.util.Properties();
+ info.put("autoDeserialize", "false");
+ info.put("allowLoadLocalInfile", "false");
+ info.put("allowLoadLocalInfileInPath", "");
if (requestParams.containsKey(StarRocksOptionRule.USER.key())) {
- String username =
requestParams.get(StarRocksOptionRule.USER.key());
- String password =
requestParams.get(StarRocksOptionRule.PASSWORD.key());
- return DriverManager.getConnection(url, username, password);
+ info.put("user",
requestParams.get(StarRocksOptionRule.USER.key()));
+ info.put("password",
requestParams.get(StarRocksOptionRule.PASSWORD.key()));
}
- return DriverManager.getConnection(url);
+ return DriverManager.getConnection(url, info);
}
}
diff --git
a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-tidb/src/main/java/org/apache/seatunnel/datasource/plugin/tidb/jdbc/TidbJdbcDataSourceChannel.java
b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-tidb/src/main/java/org/apache/seatunnel/datasource/plugin/tidb/jdbc/TidbJdbcDataSourceChannel.java
index 90f92937..59a09ee9 100644
---
a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-tidb/src/main/java/org/apache/seatunnel/datasource/plugin/tidb/jdbc/TidbJdbcDataSourceChannel.java
+++
b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-jdbc-tidb/src/main/java/org/apache/seatunnel/datasource/plugin/tidb/jdbc/TidbJdbcDataSourceChannel.java
@@ -36,6 +36,7 @@ import java.sql.SQLException;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
+import java.util.Properties;
import java.util.function.Function;
import java.util.stream.Collectors;
@@ -176,11 +177,14 @@ public class TidbJdbcDataSourceChannel implements
DataSourceChannel {
String url =
JdbcUtils.replaceDatabase(
requestParams.get(TidbOptionRule.URL.key()),
databaseName);
+ Properties info = new java.util.Properties();
+ info.put("autoDeserialize", "false");
+ info.put("allowLoadLocalInfile", "false");
+ info.put("allowLoadLocalInfileInPath", "");
if (requestParams.containsKey(TidbOptionRule.USER.key())) {
- String username = requestParams.get(TidbOptionRule.USER.key());
- String password = requestParams.get(TidbOptionRule.PASSWORD.key());
- return DriverManager.getConnection(url, username, password);
+ info.put("user", requestParams.get(TidbOptionRule.USER.key()));
+ info.put("password",
requestParams.get(TidbOptionRule.PASSWORD.key()));
}
- return DriverManager.getConnection(url);
+ return DriverManager.getConnection(url, info);
}
}
diff --git
a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-starrocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/StarRocksCatalog.java
b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-starrocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/StarRocksCatalog.java
index 4acc43e6..14a1e1b4 100644
---
a/seatunnel-datasource/seatunnel-datasource-plugins/datasource-starrocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/StarRocksCatalog.java
+++
b/seatunnel-datasource/seatunnel-datasource-plugins/datasource-starrocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/StarRocksCatalog.java
@@ -39,6 +39,7 @@ import java.util.ArrayList;
import java.util.HashSet;
import java.util.List;
import java.util.Optional;
+import java.util.Properties;
import java.util.Set;
import static com.google.common.base.Preconditions.checkArgument;
@@ -79,7 +80,7 @@ public class StarRocksCatalog {
public List<String> listDatabases() throws CatalogException {
List<String> databases = new ArrayList<>();
- try (Connection conn = DriverManager.getConnection(defaultUrl,
username, pwd);
+ try (Connection conn = getConnection(defaultUrl);
PreparedStatement ps = conn.prepareStatement("SHOW
DATABASES;");
ResultSet rs = ps.executeQuery(); ) {
@@ -103,7 +104,7 @@ public class StarRocksCatalog {
throw new DatabaseNotExistException(this.catalogName,
databaseName);
}
- try (Connection conn = DriverManager.getConnection(baseUrl +
databaseName, username, pwd);
+ try (Connection conn = getConnection(baseUrl + databaseName);
PreparedStatement ps = conn.prepareStatement("SHOW TABLES;");
ResultSet rs = ps.executeQuery()) {
@@ -127,7 +128,7 @@ public class StarRocksCatalog {
}
String dbUrl = baseUrl + tablePath.getDatabaseName();
- try (Connection conn = DriverManager.getConnection(dbUrl, username,
pwd);
+ try (Connection conn = getConnection(dbUrl);
PreparedStatement statement =
conn.prepareStatement(
String.format(
@@ -178,7 +179,7 @@ public class StarRocksCatalog {
protected Optional<PrimaryKey> getPrimaryKey(String schema, String table)
throws SQLException {
List<String> pkFields = new ArrayList<>();
- try (Connection conn = DriverManager.getConnection(defaultUrl,
username, pwd);
+ try (Connection conn = getConnection(defaultUrl);
PreparedStatement statement =
conn.prepareStatement(
String.format(
@@ -222,4 +223,14 @@ public class StarRocksCatalog {
return false;
}
}
+
+ protected Connection getConnection(String url) throws SQLException {
+ Properties info = new java.util.Properties();
+ info.put("autoDeserialize", "false");
+ info.put("allowLoadLocalInfile", "false");
+ info.put("allowLoadLocalInfileInPath", "");
+ info.put("user", username);
+ info.put("password", pwd);
+ return DriverManager.getConnection(url, info);
+ }
}
