Merge branch 'dev-1.10.0-webank' into dev-1.10.0-bug-fix

WeDataSphere · Jan 8, 2025 · 9e600c3 · 9e600c3
2 parents 8c74f79 + 5d7500e
commit 9e600c3
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 1 deletion.
diff --git a/...nhancements/linkis-udf-service/src/main/java/org/apache/linkis/udf/api/UDFRestfulApi.java b/...nhancements/linkis-udf-service/src/main/java/org/apache/linkis/udf/api/UDFRestfulApi.java
@@ -1447,6 +1447,10 @@ public Message pythonUpload(
   @RequestMapping(path = "/get-register-functions", method = RequestMethod.GET)
   public Message getRegisterFunctions(HttpServletRequest req, @RequestParam("path") String path)
       throws IOException {
+    // 使用正则校验path,防止命令注入漏洞
+    if (!path.matches("^[a-zA-Z0-9_.-/]+$")) {
+      return Message.error("path参数格式错误");
+    }
     if (StringUtils.endsWithIgnoreCase(path, Constants.FILE_EXTENSION_PY)
         || StringUtils.endsWithIgnoreCase(path, Constants.FILE_EXTENSION_SCALA)) {
       if (StringUtils.startsWithIgnoreCase(path, StorageUtils$.MODULE$.FILE_SCHEMA())) {

diff --git a/...c-enhancements/linkis-udf-service/src/main/java/org/apache/linkis/udf/utils/UdfUtils.java b/...c-enhancements/linkis-udf-service/src/main/java/org/apache/linkis/udf/utils/UdfUtils.java
@@ -325,7 +325,7 @@ public static List<String> extractPythonMethodNames(String udfPath) throws Excep
         Utils.exec(
             (new String[] {
               "sudo",
-              Constants.PYTHON_COMMAND.getValue(),
+              Constants.PYTHON_PATH.getValue(),
               Configuration.getLinkisHome() + "/admin/" + "linkis_udf_get_python_methods.py",
               localPath
             }));