Merge branch 'dev' into dev

SbloodyS · web-flow · commit 75707cb354d8 · 2024-04-02T09:15:50.000+08:00
diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/enums/Status.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/enums/Status.java
@@ -323,6 +323,8 @@ public enum Status {
 
     REMOVE_TASK_INSTANCE_CACHE_ERROR(20019, "remove task instance cache error", "删除任务实例缓存错误"),
 
+    ILLEGAL_RESOURCE_PATH(20020, "Resource file [{0}] is illegal", "非法的资源路径[{0}]"),
+
     USER_NO_OPERATION_PERM(30001, "user has no operation privilege", "当前用户没有操作权限"),
     USER_NO_OPERATION_PROJECT_PERM(30002, "user {0} is not has project {1} permission", "当前用户[{0}]没有[{1}]项目的操作权限"),
     USER_NO_WRITE_PROJECT_PERM(30003, "user [{0}] does not have write permission for project [{1}]",
diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/ResourcesService.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/ResourcesService.java
@@ -194,13 +194,13 @@ Result<Object> updateResourceContent(User loginUser, String fullName, String ten
     org.springframework.core.io.Resource downloadResource(User loginUser, String fullName) throws IOException;
 
     /**
-     * Get resource by given resource type and full name.
+     * Get resource by given resource type and file name.
      * Useful in Python API create task which need processDefinition information.
      *
      * @param userName user who query resource
-     * @param fullName full name of the resource
+     * @param fileName file name of the resource
      */
-    StorageEntity queryFileStatus(String userName, String fullName) throws Exception;
+    StorageEntity queryFileStatus(String userName, String fileName) throws Exception;
 
     /**
      * delete DATA_TRANSFER data in resource center
diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java
@@ -126,6 +126,7 @@ public Result<Object> createDirectory(User loginUser, String name, ResourceType
         }
 
         String tenantCode = getTenantCode(user);
+        checkFullName(tenantCode, currentDir);
 
         String userResRootPath = ResourceType.UDF.equals(type) ? storageOperate.getUdfDir(tenantCode)
                 : storageOperate.getResDir(tenantCode);
@@ -171,6 +172,7 @@ public Result<Object> uploadResource(User loginUser, String name, ResourceType t
         }
 
         String tenantCode = getTenantCode(user);
+        checkFullName(tenantCode, currentDir);
 
         result = verifyFile(name, type, file);
         if (!result.getCode().equals(Status.SUCCESS.getCode())) {
@@ -257,14 +259,15 @@ public Result<Object> updateResource(User loginUser, String resourceFullName, St
         }
 
         String tenantCode = getTenantCode(user);
+        checkFullName(tenantCode, resourceFullName);
 
         if (!isUserTenantValid(isAdmin(loginUser), tenantCode, resTenantCode)) {
             log.error("current user does not have permission");
             putMsg(result, Status.NO_CURRENT_OPERATING_PERMISSION);
             return result;
         }
 
-        String defaultPath = storageOperate.getResDir(tenantCode);
+        String defaultPath = storageOperate.getDir(type, tenantCode);
 
         StorageEntity resource;
         try {
@@ -949,6 +952,7 @@ public Result<Object> createResourceFile(User loginUser, ResourceType type, Stri
         }
 
         String tenantCode = getTenantCode(user);
+        checkFullName(tenantCode, currentDir);
 
         if (FileUtils.directoryTraversal(fileName)) {
             log.warn("File name verify failed, fileName:{}.", RegexUtils.escapeNRT(fileName));
@@ -1280,9 +1284,19 @@ private String getTenantCode(User user) {
     }
 
     private void checkFullName(String userTenantCode, String fullName) {
+        if (StringUtils.isEmpty(fullName)) {
+            return;
+        }
+        if (FOLDER_SEPARATOR.equalsIgnoreCase(fullName)) {
+            return;
+        }
+        // Avoid returning to the parent directory
+        if (fullName.contains("../")) {
+            throw new ServiceException(Status.ILLEGAL_RESOURCE_PATH, fullName);
+        }
         String baseDir = storageOperate.getDir(ResourceType.ALL, userTenantCode);
-        if (StringUtils.isNotBlank(fullName) && !StringUtils.startsWith(fullName, baseDir)) {
-            throw new ServiceException("Resource file: " + fullName + " is illegal");
+        if (!StringUtils.startsWith(fullName, baseDir)) {
+            throw new ServiceException(Status.ILLEGAL_RESOURCE_PATH, fullName);
         }
     }
 }
diff --git a/dolphinscheduler-api/src/test/java/org/apache/dolphinscheduler/api/service/ResourcesServiceTest.java b/dolphinscheduler-api/src/test/java/org/apache/dolphinscheduler/api/service/ResourcesServiceTest.java

Original file line number	Diff line number	Diff line change
`@@ -126,6 +126,7 @@ public Result<Object> createDirectory(User loginUser, String name, ResourceType`
`126`	`126`	`}`
`127`	`127`
`128`	`128`	`String tenantCode = getTenantCode(user);`
	`129`	`+ checkFullName(tenantCode, currentDir);`
`129`	`130`
`130`	`131`	`String userResRootPath = ResourceType.UDF.equals(type) ? storageOperate.getUdfDir(tenantCode)`
`131`	`132`	`: storageOperate.getResDir(tenantCode);`
`@@ -171,6 +172,7 @@ public Result<Object> uploadResource(User loginUser, String name, ResourceType t`
`171`	`172`	`}`
`172`	`173`
`173`	`174`	`String tenantCode = getTenantCode(user);`
	`175`	`+ checkFullName(tenantCode, currentDir);`
`174`	`176`
`175`	`177`	`result = verifyFile(name, type, file);`
`176`	`178`	`if (!result.getCode().equals(Status.SUCCESS.getCode())) {`
`@@ -257,14 +259,15 @@ public Result<Object> updateResource(User loginUser, String resourceFullName, St`
`257`	`259`	`}`
`258`	`260`
`259`	`261`	`String tenantCode = getTenantCode(user);`
	`262`	`+ checkFullName(tenantCode, resourceFullName);`
`260`	`263`
`261`	`264`	`if (!isUserTenantValid(isAdmin(loginUser), tenantCode, resTenantCode)) {`
`262`	`265`	`log.error("current user does not have permission");`
`263`	`266`	`putMsg(result, Status.NO_CURRENT_OPERATING_PERMISSION);`
`264`	`267`	`return result;`
`265`	`268`	`}`
`266`	`269`
`267`		`- String defaultPath = storageOperate.getResDir(tenantCode);`
	`270`	`+ String defaultPath = storageOperate.getDir(type, tenantCode);`
`268`	`271`
`269`	`272`	`StorageEntity resource;`
`270`	`273`	`try {`
`@@ -949,6 +952,7 @@ public Result<Object> createResourceFile(User loginUser, ResourceType type, Stri`
`949`	`952`	`}`
`950`	`953`
`951`	`954`	`String tenantCode = getTenantCode(user);`
	`955`	`+ checkFullName(tenantCode, currentDir);`
`952`	`956`
`953`	`957`	`if (FileUtils.directoryTraversal(fileName)) {`
`954`	`958`	`log.warn("File name verify failed, fileName:{}.", RegexUtils.escapeNRT(fileName));`
`@@ -1280,9 +1284,19 @@ private String getTenantCode(User user) {`
`1280`	`1284`	`}`
`1281`	`1285`
`1282`	`1286`	`private void checkFullName(String userTenantCode, String fullName) {`
	`1287`	`+ if (StringUtils.isEmpty(fullName)) {`
	`1288`	`+ return;`
	`1289`	`+ }`
	`1290`	`+ if (FOLDER_SEPARATOR.equalsIgnoreCase(fullName)) {`
	`1291`	`+ return;`
	`1292`	`+ }`
	`1293`	`+ // Avoid returning to the parent directory`
	`1294`	`+ if (fullName.contains("../")) {`
	`1295`	`+ throw new ServiceException(Status.ILLEGAL_RESOURCE_PATH, fullName);`
	`1296`	`+ }`
`1283`	`1297`	`String baseDir = storageOperate.getDir(ResourceType.ALL, userTenantCode);`
`1284`		`- if (StringUtils.isNotBlank(fullName) && !StringUtils.startsWith(fullName, baseDir)) {`
`1285`		`- throw new ServiceException("Resource file: " + fullName + " is illegal");`
	`1298`	`+ if (!StringUtils.startsWith(fullName, baseDir)) {`
	`1299`	`+ throw new ServiceException(Status.ILLEGAL_RESOURCE_PATH, fullName);`
`1286`	`1300`	`}`
`1287`	`1301`	`}`
`1288`	`1302`	`}`