Skip to content

Commit ef9ed3d

Browse files
caishunfengrickchengxEricGao888
authored
fix switch js (#15487)
Co-authored-by: Rick Cheng <[email protected]> Co-authored-by: Eric Gao <[email protected]>
1 parent 8efaa9f commit ef9ed3d

File tree

2 files changed

+31
-0
lines changed

2 files changed

+31
-0
lines changed

dolphinscheduler-master/src/main/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtils.java

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@
2323
import org.apache.commons.collections4.MapUtils;
2424

2525
import java.util.Map;
26+
import java.util.Set;
2627
import java.util.regex.Matcher;
2728
import java.util.regex.Pattern;
2829

@@ -33,6 +34,7 @@
3334
import lombok.extern.slf4j.Slf4j;
3435

3536
import com.google.common.collect.Maps;
37+
import com.google.common.collect.Sets;
3638

3739
@Slf4j
3840
public class SwitchTaskUtils {
@@ -41,6 +43,15 @@ public class SwitchTaskUtils {
4143
private static final ScriptEngine engine;
4244
private static final String rgex = "['\"]*\\$\\{(.*?)\\}['\"]*";
4345

46+
private static final Set<String> blackKeySet = Sets.newHashSet(
47+
"java",
48+
"invoke",
49+
"new",
50+
"eval",
51+
"function",
52+
"import",
53+
"\\\\");
54+
4455
static {
4556
manager = new ScriptEngineManager();
4657
engine = manager.getEngineByName("js");
@@ -83,6 +94,12 @@ public static String generateContentWithTaskParams(String condition, Map<String,
8394
content = content.replace("${" + paramName + "}", value);
8495
}
8596

97+
for (String blackKey : blackKeySet) {
98+
if (content.contains(blackKey)) {
99+
throw new IllegalArgumentException("condition is not valid, please check it. condition: " + condition);
100+
}
101+
}
102+
86103
// if not replace any params, throw exception to avoid illegal condition
87104
if (originContent.equals(content)) {
88105
throw new IllegalArgumentException("condition is not valid, please check it. condition: " + condition);

dolphinscheduler-master/src/test/java/org/apache/dolphinscheduler/server/master/utils/SwitchTaskUtilsTest.java

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,5 +52,19 @@ public void testIllegalCondition() {
5252
Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> {
5353
SwitchTaskUtils.generateContentWithTaskParams(content, globalParams, varParams);
5454
});
55+
56+
String cmd = "bash /tmp/shell";
57+
String cmdContent = "java.lang.Runtime.getRuntime().exec(\"${cmd}\")";
58+
globalParams.put("cmd", new Property("cmd", Direct.IN, DataType.VARCHAR, cmd));
59+
Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> {
60+
SwitchTaskUtils.generateContentWithTaskParams(cmdContent, globalParams, varParams);
61+
});
62+
63+
String contentWithUnicode =
64+
"\\\\u006a\\\\u0061\\\\u0076\\\\u0061\\\\u002e\\\\u006c\\\\u0061\\\\u006e\\\\u0067\\\\u002e\\\\u0052\\\\u0075\\\\u006e\\\\u0074\\\\u0069\\\\u006d\\\\u0065.getRuntime().exec(\\\"open -a Calculator.app\\";
65+
Assertions.assertThrowsExactly(IllegalArgumentException.class, () -> {
66+
SwitchTaskUtils.generateContentWithTaskParams(contentWithUnicode, globalParams, varParams);
67+
});
68+
5569
}
5670
}

0 commit comments

Comments
 (0)