[bugfix]A bug fix (apache#2853)

Co-authored-by: shown <[email protected]> Co-authored-by: aias00 <[email protected]>
Aias00 · Dec 8, 2024 · 8961cf7 · 8961cf7
1 parent f31909a
commit 8961cf7
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/...asic/src/main/java/org/apache/hertzbeat/collector/collect/database/JdbcCommonCollect.java b/...asic/src/main/java/org/apache/hertzbeat/collector/collect/database/JdbcCommonCollect.java
@@ -292,6 +292,13 @@ private String constructDatabaseUrl(JdbcProtocol jdbcProtocol) {
         if (Objects.nonNull(jdbcProtocol.getUrl())
                 && !Objects.equals("", jdbcProtocol.getUrl())
                 && jdbcProtocol.getUrl().startsWith("jdbc")) {
+            String url = jdbcProtocol.getUrl().toLowerCase(); // convert the URL to lowercase for case-insensitive checking
+            // check whether the parameter is valid
+            if (url.contains("create trigger") || url.contains("create alias") || url.contains("runscript from")
+                    || url.contains("allowloadlocalinfile") || url.contains("allowloadlocalinfileinpath")
+                    || url.contains("uselocalinfile")) {
+                throw new IllegalArgumentException("Invalid JDBC URL: contains malicious characters.");
+            }
             // when has config jdbc url, use it 
             return jdbcProtocol.getUrl();
         }