deal with url encode (#4113)

kinsanities · web-flow · commit 8e804ff2e3c2 · 2023-01-12T20:22:50.000+08:00
diff --git a/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java b/linkis-commons/linkis-common/src/main/java/org/apache/linkis/common/utils/SecurityUtils.java
@@ -23,6 +23,8 @@
 
 import org.apache.commons.lang3.StringUtils;
 
+import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.LinkedHashMap;
@@ -93,6 +95,12 @@ public static String checkJdbcSecurity(String url) {
     if (StringUtils.isBlank(url)) {
       throw new LinkisSecurityException(35000, "Invalid mysql connection cul, url is empty");
     }
+    // deal with url encode
+    try {
+      url = URLDecoder.decode(url, "UTF-8");
+    } catch (UnsupportedEncodingException e) {
+      throw new LinkisSecurityException(35000, "mysql connection cul decode error: " + e);
+    }
     if (url.endsWith(QUESTION_MARK) || !url.contains(QUESTION_MARK)) {
       logger.info("checkJdbcSecurity target url: {}", url);
       return url;
@@ -126,6 +134,18 @@ public static Map<String, Object> checkJdbcSecurity(Map<String, Object> paramsMa
       return paramsMap;
     }
 
+    // deal with url encode
+    String paramUrl = parseParamsMapToMysqlParamUrl(paramsMap);
+    try {
+      paramUrl = URLDecoder.decode(paramUrl, "UTF-8");
+    } catch (UnsupportedEncodingException e) {
+      throw new LinkisSecurityException(35000, "mysql connection cul decode error: " + e);
+    }
+
+    Map<String, Object> newParamsMap = parseMysqlUrlParamsToMap(paramUrl);
+    paramsMap.clear();
+    paramsMap.putAll(newParamsMap);
+
     Iterator<Map.Entry<String, Object>> iterator = paramsMap.entrySet().iterator();
     while (iterator.hasNext()) {
       Map.Entry<String, Object> entry = iterator.next();
diff --git a/linkis-commons/linkis-common/src/test/java/org/apache/linkis/common/utils/SecurityUtilsTest.java b/linkis-commons/linkis-common/src/test/java/org/apache/linkis/common/utils/SecurityUtilsTest.java
@@ -91,6 +91,15 @@ public void testCheckJdbcSecurityUrl() throws Exception {
           SecurityUtils.checkJdbcSecurity(atomUrl.get());
         });
 
+    // url encode
+    url = "jdbc:mysql://127.0.0.1:10000/db_name?allowLocalInfil%65=true";
+    atomUrl.set(url);
+    Assertions.assertThrows(
+        LinkisSecurityException.class,
+        () -> {
+          SecurityUtils.checkJdbcSecurity(atomUrl.get());
+        });
+
     // value is not security
     url = "jdbc:mysql://127.0.0.1:10000/db_name?p1=allowLocalInfile";
     atomUrl.set(url);
@@ -117,6 +126,11 @@ public void testCheckJdbcSecurityParamsMap() throws Exception {
     Map<String, Object> newMap = SecurityUtils.checkJdbcSecurity(paramsMap);
     Assertions.assertEquals("v1", newMap.get("p1"));
 
+    // key not security
+    paramsMap.put("allowLocalInfil%67", "true");
+    SecurityUtils.checkJdbcSecurity(paramsMap);
+    Assertions.assertEquals("true", newMap.get("allowLocalInfilg"));
+
     // key not security
     paramsMap.put("allowLocalInfile", "false");
     Assertions.assertThrows(
@@ -134,6 +148,15 @@ public void testCheckJdbcSecurityParamsMap() throws Exception {
           SecurityUtils.checkJdbcSecurity(paramsMap);
         });
 
+    // value not security
+    paramsMap.clear();
+    paramsMap.put("p1", "allowLocalInfil%65");
+    Assertions.assertThrows(
+        LinkisSecurityException.class,
+        () -> {
+          SecurityUtils.checkJdbcSecurity(paramsMap);
+        });
+
     // contains #
     paramsMap.clear();
     paramsMap.put("p1#", "v1");
