Merge branch 'dev' into patch-snake-yaml-load

dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/enums/Status.java

@@ -323,6 +323,8 @@ public enum Status {
 
     REMOVE_TASK_INSTANCE_CACHE_ERROR(20019, "remove task instance cache error", "删除任务实例缓存错误"),
 
+    ILLEGAL_RESOURCE_PATH(20020, "Resource file [{0}] is illegal", "非法的资源路径[{0}]"),
+
     USER_NO_OPERATION_PERM(30001, "user has no operation privilege", "当前用户没有操作权限"),
     USER_NO_OPERATION_PROJECT_PERM(30002, "user {0} is not has project {1} permission", "当前用户[{0}]没有[{1}]项目的操作权限"),
     USER_NO_WRITE_PROJECT_PERM(30003, "user [{0}] does not have write permission for project [{1}]",

dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/ResourcesService.java

@@ -194,13 +194,13 @@ Result<Object> updateResourceContent(User loginUser, String fullName, String ten
     org.springframework.core.io.Resource downloadResource(User loginUser, String fullName) throws IOException;
 
     /**
-     * Get resource by given resource type and full name.
+     * Get resource by given resource type and file name.
      * Useful in Python API create task which need processDefinition information.
      *
      * @param userName user who query resource
-     * @param fullName full name of the resource
+     * @param fileName file name of the resource
      */
-    StorageEntity queryFileStatus(String userName, String fullName) throws Exception;
+    StorageEntity queryFileStatus(String userName, String fileName) throws Exception;
 
     /**
      * delete DATA_TRANSFER data in resource center

dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ProjectParameterServiceImpl.java

@@ -155,6 +155,8 @@ public Result updateProjectParameter(User loginUser, long projectCode, long code
 
         projectParameter.setParamName(projectParameterName);
         projectParameter.setParamValue(projectParameterValue);
+        projectParameter.setUpdateTime(new Date());
+        projectParameter.setOperator(loginUser.getId());
 
         if (projectParameterMapper.updateById(projectParameter) > 0) {
             log.info("Project parameter is updated and id is :{}", projectParameter.getId());

dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java

@@ -126,6 +126,7 @@ public Result<Object> createDirectory(User loginUser, String name, ResourceType
         }
 
         String tenantCode = getTenantCode(user);
+        checkFullName(tenantCode, currentDir);
 
         String userResRootPath = ResourceType.UDF.equals(type) ? storageOperate.getUdfDir(tenantCode)
                 : storageOperate.getResDir(tenantCode);
@@ -171,6 +172,7 @@ public Result<Object> uploadResource(User loginUser, String name, ResourceType t
         }
 
         String tenantCode = getTenantCode(user);
+        checkFullName(tenantCode, currentDir);
 
         result = verifyFile(name, type, file);
         if (!result.getCode().equals(Status.SUCCESS.getCode())) {
@@ -257,14 +259,15 @@ public Result<Object> updateResource(User loginUser, String resourceFullName, St
         }
 
         String tenantCode = getTenantCode(user);
+        checkFullName(tenantCode, resourceFullName);
 
         if (!isUserTenantValid(isAdmin(loginUser), tenantCode, resTenantCode)) {
             log.error("current user does not have permission");
             putMsg(result, Status.NO_CURRENT_OPERATING_PERMISSION);
             return result;
         }
 
-        String defaultPath = storageOperate.getResDir(tenantCode);
+        String defaultPath = storageOperate.getDir(type, tenantCode);
 
         StorageEntity resource;
         try {
@@ -949,6 +952,7 @@ public Result<Object> createResourceFile(User loginUser, ResourceType type, Stri
         }
 
         String tenantCode = getTenantCode(user);
+        checkFullName(tenantCode, currentDir);
 
         if (FileUtils.directoryTraversal(fileName)) {
             log.warn("File name verify failed, fileName:{}.", RegexUtils.escapeNRT(fileName));
@@ -1280,9 +1284,19 @@ private String getTenantCode(User user) {
     }
 
     private void checkFullName(String userTenantCode, String fullName) {
+        if (StringUtils.isEmpty(fullName)) {
+            return;
+        }
+        if (FOLDER_SEPARATOR.equalsIgnoreCase(fullName)) {
+            return;
+        }
+        // Avoid returning to the parent directory
+        if (fullName.contains("../")) {
+            throw new ServiceException(Status.ILLEGAL_RESOURCE_PATH, fullName);
+        }
         String baseDir = storageOperate.getDir(ResourceType.ALL, userTenantCode);
-        if (StringUtils.isNotBlank(fullName) && !StringUtils.startsWith(fullName, baseDir)) {
-            throw new ServiceException("Resource file: " + fullName + " is illegal");
+        if (!StringUtils.startsWith(fullName, baseDir)) {
+            throw new ServiceException(Status.ILLEGAL_RESOURCE_PATH, fullName);
         }
     }
 }

dolphinscheduler-api/src/test/java/org/apache/dolphinscheduler/api/service/ProjectParameterServiceTest.java

@@ -98,6 +98,9 @@ public void testUpdateProjectParameter() {
         Mockito.when(projectParameterMapper.updateById(Mockito.any())).thenReturn(1);
         result = projectParameterService.updateProjectParameter(loginUser, projectCode, 1, "key1", "value");
         Assertions.assertEquals(Status.SUCCESS.getCode(), result.getCode());
+        ProjectParameter projectParameter = (ProjectParameter) result.getData();
+        Assertions.assertNotNull(projectParameter.getOperator());
+        Assertions.assertNotNull(projectParameter.getUpdateTime());
     }
 
     @Test