(zeppelin) branch branch-0.12 updated: [ZEPPELIN-6095] validate decoded url in jdbc interpreter

Wed, 06 Nov 2024 23:00:47 -0800 

This is an automated email from the ASF dual-hosted git repository.

pdallig pushed a commit to branch branch-0.12
in repository https://gitbox.apache.org/repos/asf/zeppelin.git


The following commit(s) were added to refs/heads/branch-0.12 by this push:
     new 8e8c901c05 [ZEPPELIN-6095] validate decoded url in jdbc interpreter
8e8c901c05 is described below

commit 8e8c901c05abbb8dd4fea680b53ade67c8507aec
Author: moon jieun <55692557+s2moo...@users.noreply.github.com>
AuthorDate: Thu Nov 7 15:59:27 2024 +0900

    [ZEPPELIN-6095] validate decoded url in jdbc interpreter
    
    ### What is this PR for?
    
    Add some validation check conditions to existing url validator in jdbc 
interpreter. So now it can check URLs with the conditions below if it has an 
unallowable configuration.
    - UTF-8 encoded
    
    ### What type of PR is it?
    
    Improvement
    
    ### Todos
    * [ ] - Task
    
    ### What is the Jira issue?
    
    [ZEPPELIN-6095](https://issues.apache.org/jira/browse/ZEPPELIN-6095)
    
    ### How should this be tested?
    
    Input the url with unallowable configurations in UTF-8 encoded in JDBC type 
interpreter.  Then run the command in notebook and see if the command is 
blocked from running.
    
    ### Screenshots (if appropriate)
    
    ### Questions:
    * Does the license files need to update? No
    * Is there breaking changes for older versions? No
    * Does this needs documentation? No
    
    Closes #4838 from s2moon98/add-jdbc-interpreter-url-validate.
    
    Signed-off-by: Philipp Dallig <philipp.dal...@gmail.com>
    (cherry picked from commit e46337302dcb0ce14dc5b3be87ab2ed434a5121a)
    Signed-off-by: Philipp Dallig <philipp.dal...@gmail.com>
---
 .../java/org/apache/zeppelin/jdbc/JDBCInterpreter.java    | 13 +++++++++----
 .../org/apache/zeppelin/jdbc/JDBCInterpreterTest.java     | 15 +++++++++++++++
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java 
b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java
index b4cfba25b4..61555da279 100644
--- a/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java
+++ b/jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java
@@ -42,6 +42,8 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
 import java.security.PrivilegedExceptionAction;
 import java.sql.Connection;
 import java.sql.DriverManager;
@@ -587,10 +589,13 @@ public class JDBCInterpreter extends KerberosInterpreter {
   }
 
   private void validateConnectionUrl(String url) {
-    if (containsIgnoreCase(url, ALLOW_LOAD_LOCAL_IN_FILE_NAME) ||
-        containsIgnoreCase(url, AUTO_DESERIALIZE) ||
-        containsIgnoreCase(url, ALLOW_LOCAL_IN_FILE_NAME) ||
-        containsIgnoreCase(url, ALLOW_URL_IN_LOCAL_IN_FILE_NAME)) {
+    String decodedUrl;
+    decodedUrl = URLDecoder.decode(url, StandardCharsets.UTF_8);
+
+    if (containsIgnoreCase(decodedUrl, ALLOW_LOAD_LOCAL_IN_FILE_NAME) ||
+            containsIgnoreCase(decodedUrl, AUTO_DESERIALIZE) ||
+            containsIgnoreCase(decodedUrl, ALLOW_LOCAL_IN_FILE_NAME) ||
+            containsIgnoreCase(decodedUrl, ALLOW_URL_IN_LOCAL_IN_FILE_NAME)) {
       throw new IllegalArgumentException("Connection URL contains sensitive 
configuration");
     }
   }
diff --git 
a/jdbc/src/test/java/org/apache/zeppelin/jdbc/JDBCInterpreterTest.java 
b/jdbc/src/test/java/org/apache/zeppelin/jdbc/JDBCInterpreterTest.java
index 4089eb802c..529ebc18fc 100644
--- a/jdbc/src/test/java/org/apache/zeppelin/jdbc/JDBCInterpreterTest.java
+++ b/jdbc/src/test/java/org/apache/zeppelin/jdbc/JDBCInterpreterTest.java
@@ -762,6 +762,21 @@ public class JDBCInterpreterTest extends 
BasicJDBCTestCaseAdapter {
             interpreterResult.message().get(0).getData());
   }
 
+  @Test
+  void testValidateConnectionUrlEncoded() throws IOException, 
InterpreterException {
+    Properties properties = new Properties();
+    properties.setProperty("default.driver", "org.h2.Driver");
+    properties.setProperty("default.url", getJdbcConnection() + 
";%61llowLoadLocalInfile=true");
+    properties.setProperty("default.user", "");
+    properties.setProperty("default.password", "");
+    JDBCInterpreter jdbcInterpreter = new JDBCInterpreter(properties);
+    jdbcInterpreter.open();
+    InterpreterResult interpreterResult = jdbcInterpreter.interpret("SELECT 
1", context);
+    assertEquals(InterpreterResult.Code.ERROR, interpreterResult.code());
+    assertEquals("Connection URL contains improper configuration",
+            interpreterResult.message().get(0).getData());
+  }
+
   private InterpreterContext getInterpreterContext() {
     return InterpreterContext.builder()
             .setAuthenticationInfo(new AuthenticationInfo("testUser"))

Reply via email to