Skip to content

fix: 修复数据库连接测试的 JDBC URL 过滤可被绕过导致任意文件读#905

Open
MarkLee131 wants to merge 1 commit into
elunez:masterfrom
MarkLee131:fix/jdbc-url-sanitize-bypass
Open

fix: 修复数据库连接测试的 JDBC URL 过滤可被绕过导致任意文件读#905
MarkLee131 wants to merge 1 commit into
elunez:masterfrom
MarkLee131:fix/jdbc-url-sanitize-bypass

Conversation

@MarkLee131

Copy link
Copy Markdown

Fix #904 and #900:

sanitizeJdbcUrl 只对字面量 "param=true" 做替换,存在两处绕过:
allowLoadLocalInfileInPath 不在名单内、参数名经百分号编码后正则无法匹配, 都能让 mysql-connector-j 经 LOAD DATA LOCAL INFILE 读取服务器任意文件 (同 Apache InLong CVE-2023-34434)。改为解析查询串、对解码后的参数名按 危险前缀/名单整段丢弃,覆盖大小写、URL 编码与 InPath 同族参数。

sanitizeJdbcUrl 只对字面量 "param=true" 做替换,存在两处绕过:
allowLoadLocalInfileInPath 不在名单内、参数名经百分号编码后正则无法匹配,
都能让 mysql-connector-j 经 LOAD DATA LOCAL INFILE 读取服务器任意文件
(同 Apache InLong CVE-2023-34434)。改为解析查询串、对解码后的参数名按
危险前缀/名单整段丢弃,覆盖大小写、URL 编码与 InPath 同族参数。
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Arbitrary file read via /api/database/testConnect: the sanitizeJdbcUrl blocklist is bypassable

1 participant