Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Improvement] add alert script path check #15752

Merged
merged 1 commit into from Mar 21, 2024
Merged

[Improvement] add alert script path check #15752

merged 1 commit into from Mar 21, 2024

Conversation

caishunfeng
Copy link
Contributor

Purpose of the pull request

  • add alert script path check.

Brief change log

  • dolphinscheduler-alert/dolphinscheduler-alert-plugins/dolphinscheduler-alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java

Verify this pull request

  • Added UT to verify the change.

@caishunfeng caishunfeng self-assigned this Mar 21, 2024
@caishunfeng caishunfeng added improvement make more easy to user or prompt friendly 3.2.2 labels Mar 21, 2024
EricGao888
EricGao888 reviewed Mar 21, 2024
View reviewed changes
...alert-script/src/main/java/org/apache/dolphinscheduler/plugin/alert/script/ScriptSender.java
@@ -69,6 +69,11 @@ private AlertResult executeShellScript(String title, String content) {
alertResult.setMessage("shell script not support windows os");
return alertResult;
}
if (!scriptPath.endsWith(".sh")) {
alertResult.setMessage("shell script is invalid, only support .sh file");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it possible for users to put something like reboot in the script?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, but it seems we can't limit user custom script content. If add a blacklist, it is easy to miss some keys.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In that case, we have to deprecate this plugin in the future. I think users tend to deploy a centralized alert server, which is different from worker and makes the alert server more vulnerable.

@EricGao888
Copy link
Member

@caishunfeng @ruanwenjun @SbloodyS What about we deprecate alert script plugin?

@EricGao888
Copy link
Member

@caishunfeng @ruanwenjun @SbloodyS What about we deprecate alert script plugin?

Not necessarily in next release, maybe sometime in the future.

@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Mar 21, 2024

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@caishunfeng
Copy link
Contributor Author

@caishunfeng @ruanwenjun @SbloodyS What about we deprecate alert script plugin?

LGTM, user can add their own plugins if needed.

@EricGao888 EricGao888 merged commit f7358c3 into apache:dev Mar 21, 2024
60 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@EricGao888 EricGao888 EricGao888 approved these changes

Assignees

@caishunfeng caishunfeng

Labels
3.2.2 backend document improvement make more easy to user or prompt friendly ready-to-merge
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@caishunfeng @EricGao888