Add validations of possible malicious keys (#11966)

dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/main/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessor.java

@@ -26,8 +26,11 @@ import org.apache.commons.collections4.MapUtils;
 
 import java.text.MessageFormat;
 import java.util.Map;
+import java.util.Set;
 import java.util.regex.Pattern;
 
+import com.google.common.collect.Sets;
+
 public abstract class AbstractDataSourceProcessor implements DataSourceProcessor {
 
     private static final Pattern IPV4_PATTERN = Pattern.compile("^[a-zA-Z0-9\\_\\-\\.\\,]+$");
@@ -38,6 +41,8 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor
 
     private static final Pattern PARAMS_PATTER = Pattern.compile("^[a-zA-Z0-9\\-\\_\\/\\@\\.]+$");
 
+    private static final Set<String> POSSIBLE_MALICIOUS_KEYS = Sets.newHashSet("allowLoadLocalInfile");
+
     @Override
     public void checkDatasourceParam(BaseDataSourceParamDTO baseDataSourceParamDTO) {
         checkHost(baseDataSourceParamDTO.getHost());
@@ -76,6 +81,9 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor
         if (MapUtils.isEmpty(other)) {
             return;
         }
+        if (!Sets.intersection(other.keySet(), POSSIBLE_MALICIOUS_KEYS).isEmpty()) {
+            throw new IllegalArgumentException("Other params include possible malicious keys.");
+        }
         boolean paramsCheck = other.entrySet().stream().allMatch(p -> PARAMS_PATTER.matcher(p.getValue()).matches());
         if (!paramsCheck) {
             throw new IllegalArgumentException("datasource other params illegal");
@@ -85,6 +93,7 @@ public abstract class AbstractDataSourceProcessor implements DataSourceProcessor
     @Override
     public String getDatasourceUniqueId(ConnectionParam connectionParam, DbType dbType) {
         BaseConnectionParam baseConnectionParam = (BaseConnectionParam) connectionParam;
-        return MessageFormat.format("{0}@{1}@{2}@{3}", dbType.getDescp(), baseConnectionParam.getUser(), PasswordUtils.encodePassword(baseConnectionParam.getPassword()), baseConnectionParam.getJdbcUrl());
+        return MessageFormat.format("{0}@{1}@{2}@{3}", dbType.getDescp(), baseConnectionParam.getUser(),
+                PasswordUtils.encodePassword(baseConnectionParam.getPassword()), baseConnectionParam.getJdbcUrl());
     }
 }

dolphinscheduler-datasource-plugin/dolphinscheduler-datasource-api/src/test/java/org/apache/dolphinscheduler/plugin/datasource/api/datasource/AbstractDataSourceProcessorTest.java

@@ -43,4 +43,12 @@ public class AbstractDataSourceProcessorTest {
         other.put("arg0", "%");
         doThrow(new IllegalArgumentException()).when(mockDataSourceProcessor).checkOther(other);
     }
-}
+
+    @Test
+    public void shouldNotIncludeMaliciousParams() {
+        AbstractDataSourceProcessor mockDataSourceProcessor = mock(AbstractDataSourceProcessor.class);
+        Map<String, String> other = new HashMap<>();
+        other.put("allowLoadLocalInfile", "whatever");
+        doThrow(new IllegalArgumentException()).when(mockDataSourceProcessor).checkOther(other);
+    }
+}