Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fix] add black key for switch task #15680

Merged
merged 4 commits into from Mar 18, 2024
Merged

[Fix] add black key for switch task #15680

merged 4 commits into from Mar 18, 2024

Conversation

caishunfeng
Copy link
Contributor

Purpose of the pull request

  • add some black keys for switch task

Brief change log

  • SwitchTaskUtils

Verify this pull request

  • Added UT to verify the change.

@caishunfeng caishunfeng self-assigned this Mar 7, 2024
@caishunfeng caishunfeng added bug Something isn't working backend and removed backend labels Mar 7, 2024
zhongjiajie
zhongjiajie reviewed Mar 7, 2024
View reviewed changes
...er-master/src/main/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtils.java
".",
"()",
"[",
"]",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we get the final exec command in user input? such as we can convert below code

var a = Java.type("ja" + "va.lang.Runtime");
var b = a.getRuntime();
b.exec(${cmd})

to

var a = Java.type("ja" + "va.lang.Runtime");
var b = a.getRuntime();
Java.type("ja" + "va.lang.Runtime").getRuntime().exec(${cmd})

If we can do it, I think that would be easier to check

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's hard to convert because the code are executed in js engine.

@zhongjiajie
Copy link
Member

Is it hard to cover all types inject via block list, I think

@caishunfeng
Copy link
Contributor Author

Is it hard to cover all types inject via block list, I think

You mean whitelist?

@EricGao888
Copy link
Member

Is it hard to cover all types inject via block list, I think

If attackers try to inject code, I think it is hardly possible for them to bypass using ().[].

rickchengx
rickchengx approved these changes Mar 8, 2024
View reviewed changes
Copy link
Contributor

@rickchengx rickchengx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@caishunfeng caishunfeng changed the title [Fix] add black key for switch task [WIP][Fix] add black key for switch task Mar 9, 2024
@caishunfeng
Copy link
Contributor Author

caishunfeng commented Mar 9, 2024
edited

Maybe it's better to add the black keys in common config? WDYT? @zhongjiajie @EricGao888

@zhongjiajie
Copy link
Member

Is it hard to cover all types inject via block list, I think

If attackers try to inject code, I think it is hardly possible for them to bypass using ().[].

Can they use encode and decode libs to bypass?

@codecov-commenter
Copy link

codecov-commenter commented Mar 12, 2024
edited

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 39.09%. Comparing base (faa794c) to head (336ea34).

❗ Current head 336ea34 differs from pull request most recent head cd39586. Consider uploading reports for the commit cd39586 to get more accurate results

Additional details and impacted files 
@@            Coverage Diff            @@
##                dev   #15680   +/-   ##
=========================================
  Coverage     39.09%   39.09%           
  Complexity     4851     4851           
=========================================
  Files          1316     1316           
  Lines         44963    44963           
  Branches       4810     4810           
=========================================
  Hits          17579    17579           
  Misses        25485    25485           
  Partials       1899     1899

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@EricGao888
Copy link
Member

Maybe it's better to add the black keys in common config? WDYT? @zhongjiajie @EricGao888

I think current solution in this PR (hard-coded black key) is good enough. If we make the black keys configurable, we also need to add comments above the config to warn users of this risk.

@caishunfeng
Copy link
Contributor Author

Maybe it's better to add the black keys in common config? WDYT? @zhongjiajie @EricGao888

I think current solution in this PR (hard-coded black key) is good enough. If we make the black keys configurable, we also need to add comments above the config to warn users of this risk.

OK

@caishunfeng caishunfeng changed the title [WIP][Fix] add black key for switch task [Fix] add black key for switch task Mar 18, 2024
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Mar 18, 2024

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarCloud

@EricGao888 EricGao888 merged commit 4a255fd into apache:dev Mar 18, 2024
56 checks passed
@caishunfeng caishunfeng mentioned this pull request Mar 20, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zhongjiajie zhongjiajie zhongjiajie left review comments

@EricGao888 EricGao888 EricGao888 approved these changes

@rickchengx rickchengx rickchengx approved these changes

@SbloodyS SbloodyS Awaiting requested review from SbloodyS SbloodyS is a code owner

@ruanwenjun ruanwenjun Awaiting requested review from ruanwenjun ruanwenjun is a code owner

Assignees

@caishunfeng caishunfeng

Labels
backend bug Something isn't working ready-to-merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@caishunfeng @zhongjiajie @EricGao888 @codecov-commenter @rickchengx @fuchanghai