(zeppelin) branch master updated: [ZEPPELIN-5990] Disable sensitive configuration for JDBC url (#4709)

Mon, 19 Feb 2024 04:44:50 -0800 

This is an automated email from the ASF dual-hosted git repository.

jongyoul pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zeppelin.git


The following commit(s) were added to refs/heads/master by this push:
     new e65b5430e4 [ZEPPELIN-5990] Disable sensitive configuration for JDBC 
url (#4709)
e65b5430e4 is described below

commit e65b5430e43c076c138a1f56e3f2aba1324118f2
Author: Jongyoul Lee <jongy...@gmail.com>
AuthorDate: Mon Feb 19 21:44:39 2024 +0900

    [ZEPPELIN-5990] Disable sensitive configuration for JDBC url (#4709)
    
    * [ZEPPELIN-5990] Disable sensitive configuration for JDBC url
    
    * [ZEPPELIN-5990] Disable sensitive configuration for JDBC url
---
 .../org/apache/zeppelin/jdbc/JDBCInterpreter.java  | 23 +++++++++++++++++++++-
 .../apache/zeppelin/jdbc/JDBCInterpreterTest.java  | 15 ++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java 
b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java
index 30f2cb1929..f6fed74ad0 100644
--- a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java
+++ b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java
@@ -153,6 +153,14 @@ public class JDBCInterpreter extends KerberosInterpreter {
           "KerberosConfigPath", "KerberosKeytabPath", 
"KerberosCredentialCachePath",
           "extraCredentials", "roles", "sessionProperties"));
 
+  private static final String ALLOW_LOAD_LOCAL_IN_FILE_NAME = 
"allowLoadLocalInfile";
+
+  private static final String AUTO_DESERIALIZE = "autoDeserialize";
+
+  private static final String ALLOW_LOCAL_IN_FILE_NAME = "allowLocalInfile";
+
+  private static final String ALLOW_URL_IN_LOCAL_IN_FILE_NAME = 
"allowUrlInLocalInfile";
+
   // database --> Properties
   private final HashMap<String, Properties> basePropertiesMap;
   // username --> User Configuration
@@ -533,6 +541,7 @@ public class JDBCInterpreter extends KerberosInterpreter {
     String url = properties.getProperty(URL_KEY);
     url = appendProxyUserToURL(url, user);
     String connectionUrl = appendTagsToURL(url, context);
+    validateConnectionUrl(connectionUrl);
 
     String authType = getProperty("zeppelin.jdbc.auth.type", "SIMPLE")
             .trim().toUpperCase();
@@ -576,6 +585,15 @@ public class JDBCInterpreter extends KerberosInterpreter {
     return connection;
   }
 
+  private void validateConnectionUrl(String url) {
+    if (containsIgnoreCase(url, ALLOW_LOAD_LOCAL_IN_FILE_NAME) ||
+        containsIgnoreCase(url, AUTO_DESERIALIZE) ||
+        containsIgnoreCase(url, ALLOW_LOCAL_IN_FILE_NAME) ||
+        containsIgnoreCase(url, ALLOW_URL_IN_LOCAL_IN_FILE_NAME)) {
+      throw new IllegalArgumentException("Connection URL contains sensitive 
configuration");
+    }
+  }
+
   private String appendProxyUserToURL(String url, String user) {
     StringBuilder connectionUrl = new StringBuilder(url);
 
@@ -749,6 +767,9 @@ public class JDBCInterpreter extends KerberosInterpreter {
 
     try {
       connection = getConnection(context);
+    } catch (IllegalArgumentException e) {
+      LOGGER.error("Cannot run " + sql, e);
+      return new InterpreterResult(Code.ERROR, "Connection URL contains 
improper configuration");
     } catch (Exception e) {
       LOGGER.error("Fail to getConnection", e);
       try {
@@ -763,7 +784,7 @@ public class JDBCInterpreter extends KerberosInterpreter {
       }
     }
     if (connection == null) {
-      return new InterpreterResult(Code.ERROR, "User's connectin not found.");
+      return new InterpreterResult(Code.ERROR, "User's connection not found.");
     }
 
     try {
diff --git 
a/jdbc/src/test/java/org/apache/zeppelin/jdbc/JDBCInterpreterTest.java 
b/jdbc/src/test/java/org/apache/zeppelin/jdbc/JDBCInterpreterTest.java
index c380f8c6ee..4089eb802c 100644
--- a/jdbc/src/test/java/org/apache/zeppelin/jdbc/JDBCInterpreterTest.java
+++ b/jdbc/src/test/java/org/apache/zeppelin/jdbc/JDBCInterpreterTest.java
@@ -747,6 +747,21 @@ public class JDBCInterpreterTest extends 
BasicJDBCTestCaseAdapter {
     assertEquals(3, resultMessages.size());
   }
 
+  @Test
+  void testValidateConnectionUrl() throws IOException, InterpreterException {
+    Properties properties = new Properties();
+    properties.setProperty("default.driver", "org.h2.Driver");
+    properties.setProperty("default.url", getJdbcConnection() + 
";allowLoadLocalInfile=true");
+    properties.setProperty("default.user", "");
+    properties.setProperty("default.password", "");
+    JDBCInterpreter jdbcInterpreter = new JDBCInterpreter(properties);
+    jdbcInterpreter.open();
+    InterpreterResult interpreterResult = jdbcInterpreter.interpret("SELECT 
1", context);
+    assertEquals(InterpreterResult.Code.ERROR, interpreterResult.code());
+    assertEquals("Connection URL contains improper configuration",
+            interpreterResult.message().get(0).getData());
+  }
+
   private InterpreterContext getInterpreterContext() {
     return InterpreterContext.builder()
             .setAuthenticationInfo(new AuthenticationInfo("testUser"))

Reply via email to