[SECURITY] Block JDBC URL-option injection via DB2 instance field#5450
Merged
casionone merged 1 commit intoJun 26, 2026
Merged
Conversation
aiceflower
force-pushed
the
dev-CVE-db2-instance-injection
branch
from
9dc6a68 to
338302f
Compare
…ce/database field
The DB2 SqlConnection classes interpolate the user-supplied instance
value directly into the JDBC URL via String.format("jdbc:db2://%s:%s/%s", ...).
A value containing URL option separators (e.g. "SAMPLE:traceLevel=1;")
becomes "jdbc:db2://host:port/SAMPLE:traceLevel=1;", letting the database
segment toggle DB2 driver options (traceLevel/traceFile/traceDirectory/
traceFileAppend) that bypass the Properties denylist. Same class of issue
affects SQL Server (';' separator), Oracle (service-name slot), and the
mysql:// family.
Adds four layers of defense:
1. SecurityUtils.checkDatabaseIsSafe(JdbcDriverType, database) rejects
URL-option separators per driver family:
DB2 -> : ; ? # &
SQLSERVER -> ; ? # &
ORACLE -> ? # &
PG/MySQL/CK/DM/etc -> ? # & /
2. Expand JDBC_DB2_BLOCKED_PARAMS with traceLevel/traceFile/
traceDirectory/traceFileAppend so Properties-based injection of the
same logging options is also blocked (defense in depth).
3. Backfill value_regex for the `instance` field of every JDBC data
source in linkis_dml.sql. RegExpParameterValidateStrategy skips
validation when value_regex is NULL, so the previous schema offered
no first-line defense. New regex: ^[A-Za-z0-9_.-]+$
4. Same regex backfilled via UPDATE in the 1.9.0 upgrade script for
existing installs.
5. 6 new unit tests covering the DB2 database segment, the SQL Server
and MySQL variants, benign-database sanity, and the expanded DB2
denylist. All 24 tests in SecurityUtilsTest pass.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
aiceflower
force-pushed
the
dev-CVE-db2-instance-injection
branch
from
338302f to
099767b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What is the purpose of the change
Follow-up to #5449 that closes a remaining JDBC URL-option injection sink reported separately against the DB2
instancefield. The DB2 SqlConnection classes interpolate the user-supplied instance value directly into the URL viaString.format(\"jdbc:db2://%s:%s/%s\", ...), so a malicious value likeSAMPLE:traceLevel=1;becomesjdbc:db2://host:port/SAMPLE:traceLevel=1;. The CVE-2023-49566 fix in #5449 denylistedclientRerouteServerListJNDINameetc. when they arrive via Properties, but a value smuggled through the URL database segment bypasses Properties entirely and reaches driver options liketraceLevel/traceFile/traceDirectory/traceFileAppendthat allow arbitrary file writes.Same class of issue affects SQL Server (
;separator), Oracle (service-name slot), and thejdbc:mysql://family (?/&).This PR adds four layers of defense:
Runtime validation (primary fix). New
SecurityUtils.checkDatabaseIsSafe(JdbcDriverType, database)rejects URL-option separators per driver family. Called from the genericcheckJdbcConnParamspath used by every non-MySQL SqlConnection.: ; ? # &(matches the advisory's PoC); ? # &? # &? # & /Expanded DB2 denylist.
JDBC_DB2_BLOCKED_PARAMSnow also includestraceLevel, traceFile, traceDirectory, traceFileAppendso Properties-based injection of the same logging options is blocked too.Schema-layer validation. Backfill
value_regexfor theinstancefield of every JDBC data source inlinkis_dml.sql.RegExpParameterValidateStrategyskips validation whenvalue_regexis NULL, so the existing schema offered no first-line defense. New regex^[A-Za-z0-9_.-]+$.Upgrade SQL. Same regex backfilled via
UPDATE ... WHERE key='instance' AND value_regex IS NULLin the 1.9.0 upgrade script for existing installs.Tests
SAMPLE:traceLevel=1;andSAMPLE:traceFile=/tmp/evil;), the single-character variants for each forbidden char, the SQL Server and MySQL variants, benign-database sanity across all driver families, and the expanded DB2 denylist.SecurityUtilsTestpass.Relation to prior work
🤖 Generated with Claude Code