deal with url encode (#4113)

apache · Jan 12, 2023 · 8e804ff · 8e804ff
1 parent a652276
commit 8e804ff
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 0 deletions.
diff --git a/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java b/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
@@ -23,6 +23,8 @@
 
 import org.apache.commons.lang3.StringUtils;
 
+import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.LinkedHashMap;
@@ -93,6 +95,12 @@ public static String checkJdbcSecurity(String url) {
  if (StringUtils.isBlank(url)) {
  throw new LinkisSecurityException(35000, "Invalid mysql connection cul, url is empty");
  }
+ // deal with url encode
+ try {
+ url = URLDecoder.decode(url, "UTF-8");
+ } catch (UnsupportedEncodingException e) {
+ throw new LinkisSecurityException(35000, "mysql connection cul decode error: " + e);
+ }
  if (url.endsWith(QUESTION_MARK) || !url.contains(QUESTION_MARK)) {
  logger.info("checkJdbcSecurity target url: {}", url);
  return url;
@@ -126,6 +134,18 @@ public static Map<String, Object> checkJdbcSecurity(Map<String, Object> paramsMa
  return paramsMap;
  }
 
+ // deal with url encode
+ String paramUrl = parseParamsMapToMysqlParamUrl(paramsMap);
+ try {
+ paramUrl = URLDecoder.decode(paramUrl, "UTF-8");
+ } catch (UnsupportedEncodingException e) {
+ throw new LinkisSecurityException(35000, "mysql connection cul decode error: " + e);
+ }
+
+ Map<String, Object> newParamsMap = parseMysqlUrlParamsToMap(paramUrl);
+ paramsMap.clear();
+ paramsMap.putAll(newParamsMap);
+
  Iterator<Map.Entry<String, Object>> iterator = paramsMap.entrySet().iterator();
  while (iterator.hasNext()) {
  Map.Entry<String, Object> entry = iterator.next();

diff --git a/...commons/linkis-common/src/test/java/org/apache/linkis/common/utils/SecurityUtilsTest.java b/...commons/linkis-common/src/test/java/org/apache/linkis/common/utils/SecurityUtilsTest.java
@@ -91,6 +91,15 @@ public void testCheckJdbcSecurityUrl() throws Exception {
  SecurityUtils.checkJdbcSecurity(atomUrl.get());
  });
 
+ // url encode
+ url = "jdbc:mysql://127.0.0.1:10000/db_name?allowLocalInfil%65=true";
+ atomUrl.set(url);
+ Assertions.assertThrows(
+ LinkisSecurityException.class,
+ () -> {
+ SecurityUtils.checkJdbcSecurity(atomUrl.get());
+ });
+
  // value is not security
  url = "jdbc:mysql://127.0.0.1:10000/db_name?p1=allowLocalInfile";
  atomUrl.set(url);
@@ -117,6 +126,11 @@ public void testCheckJdbcSecurityParamsMap() throws Exception {
  Map<String, Object> newMap = SecurityUtils.checkJdbcSecurity(paramsMap);
  Assertions.assertEquals("v1", newMap.get("p1"));
 
+ // key not security
+ paramsMap.put("allowLocalInfil%67", "true");
+ SecurityUtils.checkJdbcSecurity(paramsMap);
+ Assertions.assertEquals("true", newMap.get("allowLocalInfilg"));
+
  // key not security
  paramsMap.put("allowLocalInfile", "false");
  Assertions.assertThrows(
@@ -134,6 +148,15 @@ public void testCheckJdbcSecurityParamsMap() throws Exception {
  SecurityUtils.checkJdbcSecurity(paramsMap);
  });
 
+ // value not security
+ paramsMap.clear();
+ paramsMap.put("p1", "allowLocalInfil%65");
+ Assertions.assertThrows(
+ LinkisSecurityException.class,
+ () -> {
+ SecurityUtils.checkJdbcSecurity(paramsMap);
+ });
+
  // contains #
  paramsMap.clear();
  paramsMap.put("p1#", "v1");