Skip to content

[BUG] 监控中心添加JVM监控,填写正确的JMX协议链接报错 #4144

Closed
#4146
Closed
[BUG] 监控中心添加JVM监控,填写正确的JMX协议链接报错#4144
#4146
Assignees
Duansg
Labels
bugSomething isn't working
@zhaoguangqin

Description

@zhaoguangqin
zhaoguangqin
opened on May 25, 2026

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

基于最新版本1.8.0
添加JVM监控的时候,高级配置中,添加jmx连接,点击测试按钮,报错如下:

2026-05-25 17:26:30 [1000000000-jvm-basic-0566] ERROR org.apache.hertzbeat.collector.dispatch.MetricsCollect - [Metrics PreCheck]: Potentially unsafe JNDI protocol detected in URL: rmi:.
java.lang.IllegalArgumentException: Potentially unsafe JNDI protocol detected in URL: rmi:
	at org.apache.hertzbeat.collector.collect.jmx.JmxCollectImpl.**validateJmxUrl**(JmxCollectImpl.java:121)
	at org.apache.hertzbeat.collector.collect.jmx.JmxCollectImpl.preCheck(JmxCollectImpl.java:96)
	at org.apache.hertzbeat.collector.dispatch.MetricsCollect.run(MetricsCollect.java:201)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
	at java.base/java.lang.Thread.run(Thread.java:1583)

代码报错定位到以下代码行:
https://github.com/apache/hertzbeat/blob/master/hertzbeat-collector/hertzbeat-collector-basic/src/main/java/org/apache/hertzbeat/collector/collect/jmx/JmxCollectImpl.java

如果入参为:service:jmx:rmi:///jndi/rmi://192.168.1.3:9999/jmxrmi

private void **validateJmxUrl**(String url) throws IllegalArgumentException {
        // Only allow service:jmx:rmi protocol
        Assert.isTrue(url.startsWith("service:jmx:rmi:"), "Only service:jmx:rmi protocol is supported");

        String[] disallowedPatterns = { "ldap:", "rmi:", "iiop:", "nis:", "dns:", "corbaname:", "http:", "https:" };
        for (String pattern : disallowedPatterns) {
            if (url.contains(pattern) && !**pattern.equals("rmi:///jndi/rmi:")**) {
                throw new IllegalArgumentException("Potentially unsafe JNDI protocol detected in URL: " + pattern);
            }
        }

        // Check for suspicious patterns
        if (url.contains("${") || url.contains("$[") || url.contains(":#") || url.contains(":/")) {
            throw new IllegalArgumentException("Potentially malicious pattern detected in JMX URL");
        }
    }

循环了disallowedPatterns这个数组,数组的在循环的时候判断元素不等于“rmi:///jndi/rmi:”,那这行代码必定抛出异常。

Expected Behavior

No response

Steps To Reproduce

No response

Environment

HertzBeat version(s):

Debug logs

No response

Anything else?

No response

Metadata

Metadata

Assignees

Labels

bugSomething isn't working

Type

No type

Fields

No fields configured for issues without a type.

Projects

Apache HertzBeat

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions