diff --git a/collector/src/main/java/org/apache/hertzbeat/collector/collect/common/ssh/CommonSshBlacklist.java b/collector/src/main/java/org/apache/hertzbeat/collector/collect/common/ssh/CommonSshBlacklist.java new file mode 100644 index 00000000000..edbb08649a5 --- /dev/null +++ b/collector/src/main/java/org/apache/hertzbeat/collector/collect/common/ssh/CommonSshBlacklist.java @@ -0,0 +1,114 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hertzbeat.collector.collect.common.ssh; + +import java.util.Collections; +import java.util.HashSet; +import java.util.Set; + +/** + * Command blacklist + */ +public class CommonSshBlacklist { + + private static final Set BLACKLIST; + + static { + Set tempSet = new HashSet<>(); + initializeDefaultBlacklist(tempSet); + BLACKLIST = Collections.unmodifiableSet(tempSet); + } + + private CommonSshBlacklist() { + // Prevent instantiation + } + + private static void initializeDefaultBlacklist(Set blacklist) { + // Adding default dangerous commands to blacklist + blacklist.add("rm "); + blacklist.add("mv "); + blacklist.add("cp "); + blacklist.add("ln "); + blacklist.add("dd "); + blacklist.add("tar "); + blacklist.add("zip "); + blacklist.add("bzip2 "); + blacklist.add("bunzip2 "); + blacklist.add("xz "); + blacklist.add("unxz "); + blacklist.add("kill "); + blacklist.add("killall "); + blacklist.add("reboot"); + blacklist.add("shutdown"); + blacklist.add("poweroff"); + blacklist.add("init 0"); + blacklist.add("init 6"); + blacklist.add("telinit 0"); + blacklist.add("telinit 6"); + blacklist.add("systemctl halt"); + blacklist.add("systemctl suspend"); + blacklist.add("systemctl hibernate"); + blacklist.add("service reboot"); + blacklist.add("service shutdown"); + blacklist.add("crontab -e"); + blacklist.add("visudo"); + blacklist.add("useradd"); + blacklist.add("userdel"); + blacklist.add("usermod"); + blacklist.add("groupadd"); + blacklist.add("groupdel"); + blacklist.add("groupmod"); + blacklist.add("passwd"); + blacklist.add("su "); + blacklist.add("sudo "); + blacklist.add("mount "); + blacklist.add("parted"); + blacklist.add("mkpart"); + blacklist.add("partprobe"); + blacklist.add("iptables"); + blacklist.add("firewalld"); + blacklist.add("nft"); + blacklist.add("nc "); + blacklist.add("netcat"); + blacklist.add("ssh "); + blacklist.add("scp "); + blacklist.add("rsync"); + blacklist.add("ftp "); + blacklist.add("sftp "); + blacklist.add("telnet "); + blacklist.add("chmod "); + blacklist.add("chattr "); + blacklist.add("dd "); + blacklist.add("mknod"); + blacklist.add("losetup"); + blacklist.add("cryptsetup"); + } + + public static boolean isCommandBlacklisted(String command) { + if (command == null || command.trim().isEmpty()) { + throw new IllegalArgumentException("Command cannot be null or empty"); + } + String trimmedCommand = command.trim(); + return BLACKLIST.stream().anyMatch(trimmedCommand::contains); + } + + public static Set getBlacklist() { + return BLACKLIST; + } + +} diff --git a/collector/src/main/java/org/apache/hertzbeat/collector/collect/ssh/SshCollectImpl.java b/collector/src/main/java/org/apache/hertzbeat/collector/collect/ssh/SshCollectImpl.java index fddbf7abffb..dfed8e7a6c3 100644 --- a/collector/src/main/java/org/apache/hertzbeat/collector/collect/ssh/SshCollectImpl.java +++ b/collector/src/main/java/org/apache/hertzbeat/collector/collect/ssh/SshCollectImpl.java @@ -38,6 +38,7 @@ import org.apache.hertzbeat.collector.collect.common.cache.CacheIdentifier; import org.apache.hertzbeat.collector.collect.common.cache.ConnectionCommonCache; import org.apache.hertzbeat.collector.collect.common.cache.SshConnect; +import org.apache.hertzbeat.collector.collect.common.ssh.CommonSshBlacklist; import org.apache.hertzbeat.collector.collect.common.ssh.CommonSshClient; import org.apache.hertzbeat.collector.dispatch.DispatchConstants; import org.apache.hertzbeat.collector.util.CollectUtil; @@ -85,6 +86,7 @@ public void preCheck(Metrics metrics) throws IllegalArgumentException { @Override public void collect(CollectRep.MetricsData.Builder builder, long monitorId, String app, Metrics metrics) { + long startTime = System.currentTimeMillis(); SshProtocol sshProtocol = metrics.getSsh(); boolean reuseConnection = Boolean.parseBoolean(sshProtocol.getReuseConnection()); @@ -93,6 +95,12 @@ public void collect(CollectRep.MetricsData.Builder builder, long monitorId, Stri ClientSession clientSession = null; try { clientSession = getConnectSession(sshProtocol, timeout, reuseConnection); + if (CommonSshBlacklist.isCommandBlacklisted(sshProtocol.getScript())) { + builder.setCode(CollectRep.Code.FAIL); + builder.setMsg("The command is blacklisted: " + sshProtocol.getScript()); + log.warn("The command is blacklisted: {}", sshProtocol.getScript()); + return; + } channel = clientSession.createExecChannel(sshProtocol.getScript()); ByteArrayOutputStream response = new ByteArrayOutputStream(); channel.setOut(response);