Skip to content

Commit

Permalink
fix switch js (#15487)
Browse files Browse the repository at this point in the history 
Co-authored-by: Rick Cheng <rickchengx@gmail.com>
Co-authored-by: Eric Gao <ericgao.apache@gmail.com>
(cherry picked from commit ef9ed3d)
  • Loading branch information
@caishunfeng @zhongjiajie
caishunfeng authored and zhongjiajie committed Feb 6, 2024
1 parent acb1e0a commit ca93aa8
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 0 deletions.
17 changes: 17 additions & 0 deletions ...master/src/main/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
import org.apache.commons.collections4.MapUtils;

import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

Expand All @@ -33,6 +34,7 @@
import lombok.extern.slf4j.Slf4j;

import com.google.common.collect.Maps;
import com.google.common.collect.Sets;

@Slf4j
public class SwitchTaskUtils {
Expand All @@ -41,6 +43,15 @@ public class SwitchTaskUtils {
private static final ScriptEngine engine;
private static final String rgex = "['\"]*\\$\\{(.*?)\\}['\"]*";

private static final Set<String> blackKeySet = Sets.newHashSet(
"java",
"invoke",
"new",
"eval",
"function",
"import",
"\\\\");

static {
manager = new ScriptEngineManager();
engine = manager.getEngineByName("js");
Expand Down Expand Up @@ -83,6 +94,12 @@ public static String generateContentWithTaskParams(String condition, Map<String,
content = content.replace("${" + paramName + "}", value);
}

for (String blackKey : blackKeySet) {
if (content.contains(blackKey)) {
throw new IllegalArgumentException("condition is not valid, please check it. condition: " + condition);
}
}

// if not replace any params, throw exception to avoid illegal condition
if (originContent.equals(content)) {
throw new IllegalArgumentException("condition is not valid, please check it. condition: " + condition);
Expand Down
14 changes: 14 additions & 0 deletions ...er/src/test/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtilsTest.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,5 +52,19 @@ public void testIllegalCondition() {
Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> {
SwitchTaskUtils.generateContentWithTaskParams(content, globalParams, varParams);
});

String cmd = "bash /tmp/shell";
String cmdContent = "java.lang.Runtime.getRuntime().exec(\"${cmd}\")";
globalParams.put("cmd", new Property("cmd", Direct.IN, DataType.VARCHAR, cmd));
Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> {
SwitchTaskUtils.generateContentWithTaskParams(cmdContent, globalParams, varParams);
});

String contentWithUnicode =
"\\\\u006a\\\\u0061\\\\u0076\\\\u0061\\\\u002e\\\\u006c\\\\u0061\\\\u006e\\\\u0067\\\\u002e\\\\u0052\\\\u0075\\\\u006e\\\\u0074\\\\u0069\\\\u006d\\\\u0065.getRuntime().exec(\\\"open -a Calculator.app\\";
Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> {
SwitchTaskUtils.generateContentWithTaskParams(contentWithUnicode, globalParams, varParams);
});

}
}

0 comments on commit ca93aa8

Please sign in to comment.