[Hotfix] Fix arbitrary file readvulnerability on mysql jdbc(starrocks…

…/tidb) link apache/security-site@5a193b7
apache · Jun 12, 2024 · 3768a38 · 3768a38
1 parent 4a37ebf
commit 3768a38
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 12 deletions.
diff --git a/...org/apache/seatunnel/datasource/plugin/starrocks/jdbc/StarRocksJdbcDataSourceChannel.java b/...org/apache/seatunnel/datasource/plugin/starrocks/jdbc/StarRocksJdbcDataSourceChannel.java
@@ -36,6 +36,7 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.Properties;
 
 import static com.google.common.base.Preconditions.checkNotNull;
 
@@ -169,11 +170,15 @@ private Connection getConnection(Map<String, String> requestParams, String datab
         String url =
                 JdbcUtils.replaceDatabase(
                         requestParams.get(StarRocksOptionRule.URL.key()), databaseName);
+
+        Properties info = new java.util.Properties();
+        info.put("autoDeserialize", "false");
+        info.put("allowLoadLocalInfile", "false");
+        info.put("allowLoadLocalInfileInPath", "");
         if (requestParams.containsKey(StarRocksOptionRule.USER.key())) {
-            String username = requestParams.get(StarRocksOptionRule.USER.key());
-            String password = requestParams.get(StarRocksOptionRule.PASSWORD.key());
-            return DriverManager.getConnection(url, username, password);
+            info.put("user", requestParams.get(StarRocksOptionRule.USER.key()));
+            info.put("password", requestParams.get(StarRocksOptionRule.PASSWORD.key()));
         }
-        return DriverManager.getConnection(url);
+        return DriverManager.getConnection(url, info);
     }
 }
diff --git a/...main/java/org/apache/seatunnel/datasource/plugin/tidb/jdbc/TidbJdbcDataSourceChannel.java b/...main/java/org/apache/seatunnel/datasource/plugin/tidb/jdbc/TidbJdbcDataSourceChannel.java
@@ -36,6 +36,7 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Map;
+import java.util.Properties;
 import java.util.function.Function;
 import java.util.stream.Collectors;
 
@@ -176,11 +177,14 @@ private Connection getConnection(Map<String, String> requestParams, String datab
         String url =
                 JdbcUtils.replaceDatabase(
                         requestParams.get(TidbOptionRule.URL.key()), databaseName);
+        Properties info = new java.util.Properties();
+        info.put("autoDeserialize", "false");
+        info.put("allowLoadLocalInfile", "false");
+        info.put("allowLoadLocalInfileInPath", "");
         if (requestParams.containsKey(TidbOptionRule.USER.key())) {
-            String username = requestParams.get(TidbOptionRule.USER.key());
-            String password = requestParams.get(TidbOptionRule.PASSWORD.key());
-            return DriverManager.getConnection(url, username, password);
+            info.put("user", requestParams.get(TidbOptionRule.USER.key()));
+            info.put("password", requestParams.get(TidbOptionRule.PASSWORD.key()));
         }
-        return DriverManager.getConnection(url);
+        return DriverManager.getConnection(url, info);
     }
 }
diff --git a/...ocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/StarRocksCatalog.java b/...ocks/src/main/java/org/apache/seatunnel/datasource/plugin/starrocks/StarRocksCatalog.java
@@ -39,6 +39,7 @@
 import java.util.HashSet;
 import java.util.List;
 import java.util.Optional;
+import java.util.Properties;
 import java.util.Set;
 
 import static com.google.common.base.Preconditions.checkArgument;
@@ -79,7 +80,7 @@ public StarRocksCatalog(String catalogName, String username, String pwd, String
 
     public List<String> listDatabases() throws CatalogException {
         List<String> databases = new ArrayList<>();
-        try (Connection conn = DriverManager.getConnection(defaultUrl, username, pwd);
+        try (Connection conn = getConnection(defaultUrl);
                 PreparedStatement ps = conn.prepareStatement("SHOW DATABASES;");
                 ResultSet rs = ps.executeQuery(); ) {
 
@@ -103,7 +104,7 @@ public List<String> listTables(String databaseName)
             throw new DatabaseNotExistException(this.catalogName, databaseName);
         }
 
-        try (Connection conn = DriverManager.getConnection(baseUrl + databaseName, username, pwd);
+        try (Connection conn = getConnection(baseUrl + databaseName);
                 PreparedStatement ps = conn.prepareStatement("SHOW TABLES;");
                 ResultSet rs = ps.executeQuery()) {
 
@@ -127,7 +128,7 @@ public List<TableField> getTable(TablePath tablePath)
         }
 
         String dbUrl = baseUrl + tablePath.getDatabaseName();
-        try (Connection conn = DriverManager.getConnection(dbUrl, username, pwd);
+        try (Connection conn = getConnection(dbUrl);
                 PreparedStatement statement =
                         conn.prepareStatement(
                                 String.format(
@@ -178,7 +179,7 @@ public static String splitDefaultUrl(String defaultUrl) {
     protected Optional<PrimaryKey> getPrimaryKey(String schema, String table) throws SQLException {
 
         List<String> pkFields = new ArrayList<>();
-        try (Connection conn = DriverManager.getConnection(defaultUrl, username, pwd);
+        try (Connection conn = getConnection(defaultUrl);
                 PreparedStatement statement =
                         conn.prepareStatement(
                                 String.format(
@@ -222,4 +223,14 @@ public boolean tableExists(TablePath tablePath) throws CatalogException {
             return false;
         }
     }
+
+    protected Connection getConnection(String url) throws SQLException {
+        Properties info = new java.util.Properties();
+        info.put("autoDeserialize", "false");
+        info.put("allowLoadLocalInfile", "false");
+        info.put("allowLoadLocalInfileInPath", "");
+        info.put("user", username);
+        info.put("password", pwd);
+        return DriverManager.getConnection(url, info);
+    }
 }