From 05afbb234e20f2b629b2f27f1e42acc14c5ecce2 Mon Sep 17 00:00:00 2001 From: BaiJv Date: Wed, 10 Apr 2024 20:28:02 +0800 Subject: [PATCH 1/5] abnormal characters check --- .../api/service/impl/ResourcesServiceImpl.java | 5 +++++ .../apache/dolphinscheduler/api/utils/CheckUtils.java | 10 ++++++++++ .../dolphinscheduler/common/constants/Constants.java | 5 +++++ 3 files changed, 20 insertions(+) diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java index 6a15da17a804..97e22366811c 100644 --- a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java +++ b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java @@ -1290,6 +1290,11 @@ private void checkFullName(String userTenantCode, String fullName) { if (FOLDER_SEPARATOR.equalsIgnoreCase(fullName)) { return; } + // abnormal characters check + if (!checkFilePath(fullName)){ + log.error("fullName contains illegal characters"); + throw new ServiceException(Status.ILLEGAL_RESOURCE_PATH); + } // Avoid returning to the parent directory if (fullName.contains("../")) { throw new ServiceException(Status.ILLEGAL_RESOURCE_PATH, fullName); diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/utils/CheckUtils.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/utils/CheckUtils.java index 8b166a16ddb6..b394d4956c93 100644 --- a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/utils/CheckUtils.java +++ b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/utils/CheckUtils.java @@ -158,4 +158,14 @@ private static boolean regexChecks(String str, Pattern pattern) { return pattern.matcher(str).matches(); } + + /** + * regex FilePath check,only use a to z, A to Z, 0 to 9, and _./- + * + * @param str input string + * @return true if regex pattern is right, otherwise return false + */ + public static boolean checkFilePath(String str) { + return regexChecks(str, Constants.REGEX_FILE_PATH); + } } diff --git a/dolphinscheduler-common/src/main/java/org/apache/dolphinscheduler/common/constants/Constants.java b/dolphinscheduler-common/src/main/java/org/apache/dolphinscheduler/common/constants/Constants.java index 054a9410d5f1..19e1a1fabbc7 100644 --- a/dolphinscheduler-common/src/main/java/org/apache/dolphinscheduler/common/constants/Constants.java +++ b/dolphinscheduler-common/src/main/java/org/apache/dolphinscheduler/common/constants/Constants.java @@ -252,6 +252,11 @@ private Constants() { */ public static final Pattern REGEX_USER_NAME = Pattern.compile("^[a-zA-Z0-9._-]{3,39}$"); + /** + * file path regex + */ + public static final Pattern REGEX_FILE_PATH = Pattern.compile("^[a-zA-Z0-9_./-]+$"); + /** * read permission */ From e3206d68faff82e34f068b1b89dab9f71f9d4669 Mon Sep 17 00:00:00 2001 From: BaiJv Date: Wed, 10 Apr 2024 20:52:20 +0800 Subject: [PATCH 2/5] add test case --- .../api/utils/CheckUtilsTest.java | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/dolphinscheduler-api/src/test/java/org/apache/dolphinscheduler/api/utils/CheckUtilsTest.java b/dolphinscheduler-api/src/test/java/org/apache/dolphinscheduler/api/utils/CheckUtilsTest.java index bca8a69a16f3..da5ea88c835b 100644 --- a/dolphinscheduler-api/src/test/java/org/apache/dolphinscheduler/api/utils/CheckUtilsTest.java +++ b/dolphinscheduler-api/src/test/java/org/apache/dolphinscheduler/api/utils/CheckUtilsTest.java @@ -92,4 +92,24 @@ public void testCheckPhone() { Assertions.assertTrue(CheckUtils.checkPhone("17362537263")); } + /** + * check file path + */ + @Test + public void testCheckFilePath() { + // true + Assertions.assertTrue(CheckUtils.checkFilePath("/")); + Assertions.assertTrue(CheckUtils.checkFilePath("xx/")); + Assertions.assertTrue(CheckUtils.checkFilePath("/xx")); + Assertions.assertTrue(CheckUtils.checkFilePath("14567134578654")); + Assertions.assertTrue(CheckUtils.checkFilePath("/admin/root/")); + Assertions.assertTrue(CheckUtils.checkFilePath("/admin/root/1531531..13513/153135..")); + // false + Assertions.assertFalse(CheckUtils.checkFilePath(null)); + Assertions.assertFalse(CheckUtils.checkFilePath("file://xxx/ss")); + Assertions.assertFalse(CheckUtils.checkFilePath("/xxx/ss;/dasd/123")); + Assertions.assertFalse(CheckUtils.checkFilePath("/xxx/ss && /dasd/123")); + Assertions.assertFalse(CheckUtils.checkFilePath("/xxx/ss || /dasd/123")); + } + } From 73e7cc77f300f757b06d56dd03aea63c24c068dc Mon Sep 17 00:00:00 2001 From: BaiJv Date: Wed, 10 Apr 2024 21:03:50 +0800 Subject: [PATCH 3/5] remove error log --- .../dolphinscheduler/api/service/impl/ResourcesServiceImpl.java | 1 - 1 file changed, 1 deletion(-) diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java index 97e22366811c..19974a27d00b 100644 --- a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java +++ b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java @@ -1292,7 +1292,6 @@ private void checkFullName(String userTenantCode, String fullName) { } // abnormal characters check if (!checkFilePath(fullName)){ - log.error("fullName contains illegal characters"); throw new ServiceException(Status.ILLEGAL_RESOURCE_PATH); } // Avoid returning to the parent directory From d5b5aec994d611a47ccf222c4a0685a2450bea7b Mon Sep 17 00:00:00 2001 From: BaiJv Date: Thu, 11 Apr 2024 17:32:37 +0800 Subject: [PATCH 4/5] fix code style --- .../dolphinscheduler/api/service/impl/ResourcesServiceImpl.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java index 19974a27d00b..28426d12c4a9 100644 --- a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java +++ b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java @@ -1291,7 +1291,7 @@ private void checkFullName(String userTenantCode, String fullName) { return; } // abnormal characters check - if (!checkFilePath(fullName)){ + if (!checkFilePath(fullName)) { throw new ServiceException(Status.ILLEGAL_RESOURCE_PATH); } // Avoid returning to the parent directory From cbbac326a575eb0a0d2bfb47b84682eaf5b97e6b Mon Sep 17 00:00:00 2001 From: BaiJv Date: Thu, 11 Apr 2024 18:20:26 +0800 Subject: [PATCH 5/5] fix import --- .../dolphinscheduler/api/service/impl/ResourcesServiceImpl.java | 1 + 1 file changed, 1 insertion(+) diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java index 28426d12c4a9..1c039cdfbdff 100644 --- a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java +++ b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java @@ -17,6 +17,7 @@ package org.apache.dolphinscheduler.api.service.impl; +import static org.apache.dolphinscheduler.api.utils.CheckUtils.checkFilePath; import static org.apache.dolphinscheduler.common.constants.Constants.ALIAS; import static org.apache.dolphinscheduler.common.constants.Constants.CONTENT; import static org.apache.dolphinscheduler.common.constants.Constants.EMPTY_STRING;