Skip to content

fix: 修复数据库连接测试的 JDBC URL 过滤可被绕过导致任意文件读#905

Open
MarkLee131 wants to merge 1 commit into
elunez:masterfrom
MarkLee131:fix/jdbc-url-sanitize-bypass
Open

fix: 修复数据库连接测试的 JDBC URL 过滤可被绕过导致任意文件读#905
MarkLee131 wants to merge 1 commit into
elunez:masterfrom
MarkLee131:fix/jdbc-url-sanitize-bypass

Conversation

@MarkLee131

Copy link
Copy Markdown

Fix #904 and #900:

sanitizeJdbcUrl 只对字面量 "param=true" 做替换,存在两处绕过:
allowLoadLocalInfileInPath 不在名单内、参数名经百分号编码后正则无法匹配, 都能让 mysql-connector-j 经 LOAD DATA LOCAL INFILE 读取服务器任意文件 (同 Apache InLong CVE-2023-34434)。改为解析查询串、对解码后的参数名按 危险前缀/名单整段丢弃,覆盖大小写、URL 编码与 InPath 同族参数。

sanitizeJdbcUrl 只对字面量 "param=true" 做替换,存在两处绕过:
allowLoadLocalInfileInPath 不在名单内、参数名经百分号编码后正则无法匹配,
都能让 mysql-connector-j 经 LOAD DATA LOCAL INFILE 读取服务器任意文件
(同 Apache InLong CVE-2023-34434)。改为解析查询串、对解码后的参数名按
危险前缀/名单整段丢弃,覆盖大小写、URL 编码与 InPath 同族参数。
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

1 participant