Skip to content

[Improvement] Fix the git url command injection in pytorch task(#15873) #15950

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
SbloodyS merged 10 commits into from
May 9, 2024
Merged

[Improvement] Fix the git url command injection in pytorch task(#15873) #15950

SbloodyS merged 10 commits into from
May 9, 2024

Conversation

@cntigers
Copy link
Contributor

@cntigers cntigers commented May 6, 2024

Purpose of the pull request

fix: 15873

Brief change log

Verify this pull request

This pull request is code cleanup without any test coverage.

(or)

This pull request is already covered by existing tests, such as (please describe tests).

(or)

This change added tests and can be verified as follows:

(or)

If your pull request contain incompatible change, you should also add it to docs/docs/en/guide/upgrede/incompatible.md

@cntigers cntigers changed the title fix the git url command injection(#15873) [Improvement] fix the git url command injection(#15873) May 6, 2024
@wangxj3 wangxj3 added the first time contributor First-time contributor label May 6, 2024
ruanwenjun
ruanwenjun reviewed May 6, 2024
View reviewed changes
...k-pytorch/src/test/java/org/apache/dolphinscheduler/plugin/task/pytorch/PytorchTaskTest.java
Comment on lines +77 to +78
Assertions.assertFalse(GitProjectManager.isGitPath("git@& cat /etc/passwd >/poc.txt #"));
Assertions.assertFalse(GitProjectManager.isGitPath("git@| cat /etc/passwd >/poc.txt #"));
Copy link
Member

@ruanwenjun ruanwenjun May 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a positive case which will return true.

Copy link
Contributor Author

@cntigers cntigers May 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a positive case which will return true.

Thank you for your reminder. I found that there are already positive test cases during testing @ruanwenjun

exists test cases

Copy link
Member

@ruanwenjun ruanwenjun May 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, please use mvn spotless:apply to format the code style.

Copy link
Contributor Author

@cntigers cntigers May 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great, please use mvn spotless:apply to format the code style.

Thank you for your advice,I have already resolved it.

@ruanwenjun ruanwenjun added this to the 3.2.2 milestone May 6, 2024
@ruanwenjun ruanwenjun changed the title [Improvement] fix the git url command injection(#15873) [Improvement] Fix the git url command injection(#15873) May 6, 2024
@ruanwenjun ruanwenjun changed the title [Improvement] Fix the git url command injection(#15873) [Improvement] Fix the git url command injection in pytorch task(#15873) May 6, 2024
@SbloodyS SbloodyS added improvement make more easy to user or prompt friendly 3.2.2 labels May 6, 2024
@cntigers cntigers requested a review from ruanwenjun May 7, 2024 00:59
@codecov-commenter
Copy link

codecov-commenter commented May 8, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 39.86%. Comparing base (5c569b7) to head (17397ec).

❗ Current head 17397ec differs from pull request most recent head 3990e2c. Consider uploading reports for the commit 3990e2c to get more accurate results

Additional details and impacted files 
@@             Coverage Diff              @@
##                dev   #15950      +/-   ##
============================================
- Coverage     39.93%   39.86%   -0.07%     
+ Complexity     5081     5064      -17     
============================================
  Files          1369     1369              
  Lines         45635    45635              
  Branches       4869     4868       -1     
============================================
- Hits          18224    18193      -31     
- Misses        25513    25544      +31     
  Partials       1898     1898

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

ruanwenjun
ruanwenjun approved these changes May 8, 2024
View reviewed changes
Copy link
Member

@ruanwenjun ruanwenjun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

wangxj3
wangxj3 approved these changes May 8, 2024
View reviewed changes
Copy link
Contributor

@wangxj3 wangxj3 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

rickchengx
rickchengx approved these changes May 9, 2024
View reviewed changes
Copy link
Contributor

@rickchengx rickchengx left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

SbloodyS
SbloodyS approved these changes May 9, 2024
View reviewed changes
Copy link
Member

@SbloodyS SbloodyS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@sonarqubecloud
Copy link

sonarqubecloud bot commented May 9, 2024

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

@SbloodyS SbloodyS merged commit 60b019b into apache:dev May 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SbloodyS SbloodyS SbloodyS approved these changes

@ruanwenjun ruanwenjun ruanwenjun approved these changes

@wangxj3 wangxj3 wangxj3 approved these changes

@rickchengx rickchengx rickchengx approved these changes

@caishunfeng caishunfeng Awaiting requested review from caishunfeng caishunfeng is a code owner

@zhuangchong zhuangchong Awaiting requested review from zhuangchong

Assignees

@cntigers cntigers

Labels

3.2.2 backend first time contributor First-time contributor improvement make more easy to user or prompt friendly ready-to-merge

Projects

None yet

Milestone

3.2.2

Development

Successfully merging this pull request may close these issues.

[Bug] [Pytorch] There is no security check for GitProjectManager.getGitUrl, which could cause command injection

6 participants

@cntigers @codecov-commenter @SbloodyS @ruanwenjun @wangxj3 @rickchengx