Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add code limit for zeppline interpreter #1

Open
wants to merge 2 commits into
base: branch-0.10
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -62,6 +62,13 @@ public InterpreterResult interpret(String code, InterpreterContext context) {
String generatedClassName = "C" + UUID.randomUUID().toString().replace("-", "");

try {

if (code.contains("Runtime.getRuntime().exec")
|| code.contains("ProcessBuilder processBuilder = new ProcessBuilder();")){
return new InterpreterResult(InterpreterResult.Code.ERROR,
"There is not allow exec shell or linux command .");
}

String res = StaticRepl.execute(generatedClassName, code);
return new InterpreterResult(InterpreterResult.Code.SUCCESS, res);
} catch (Exception e) {
Expand Down
25 changes: 25 additions & 0 deletions jdbc/src/main/java/org/apache/zeppelin/jdbc/JDBCInterpreter.java
Original file line number Diff line number Diff line change
Expand Up @@ -770,6 +770,18 @@ private InterpreterResult executeSql(String dbPrefix, String sql,
List<String> sqlArray = sqlSplitter.splitSql(sql);
for (String sqlToExecute : sqlArray) {
String sqlTrimmedLowerCase = sqlToExecute.trim().toLowerCase();

if (isNotMatcherWithGioRequest(sqlTrimmedLowerCase)) {

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

jdbc也只能使用read only账号

String errorMsg = "Deleting databases, deleting tables, empties tables " +
"and alter drop partitioned data are not supported";
return new InterpreterResult(InterpreterResult.Code.ERROR, errorMsg);
}
if (!sqlTrimmedLowerCase.startsWith("insert into") &&
sqlTrimmedLowerCase.contains("select") && !sqlTrimmedLowerCase.contains("where")) {
String errorMsg = "There must have 'where' condition ,you can use where 1=1 ;";
return new InterpreterResult(InterpreterResult.Code.ERROR, errorMsg);
}

if (sqlTrimmedLowerCase.startsWith("set ") ||
sqlTrimmedLowerCase.startsWith("list ") ||
sqlTrimmedLowerCase.startsWith("add ") ||
Expand Down Expand Up @@ -880,6 +892,19 @@ private InterpreterResult executeSql(String dbPrefix, String sql,
return new InterpreterResult(Code.SUCCESS);
}

private boolean isNotMatcherWithGioRequest(String lowQuery){

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

使用 readonly 用户访问clickhouse

//1. 删库
if (lowQuery.contains("drop database")) return true;
//2. 删表
if (lowQuery.contains("drop table") || lowQuery.contains("truncate table")
|| lowQuery.contains("delete from table")) return true;
//3. 删分区
if (lowQuery.startsWith("alter table") || lowQuery.contains("alter table")) {
if (lowQuery.contains("drop partition")) return true;
}
return false;
}

private List getFirstRow(ResultSet rs) throws SQLException {
List list = new ArrayList();
ResultSetMetaData md = rs.getMetaData();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,17 @@ public InterpreterResult internalInterpret(String st, InterpreterContext context
Method method = sqlContext.getClass().getMethod("sql", String.class);
for (String sql : sqls) {
curSql = sql;
String lowerCaseSql = curSql.toLowerCase();
if(isNotMatcherWithGioRequest(lowerCaseSql)){
String errorMsg = "Deleting databases, deleting tables, " +
"empties tables, and alter drop partitioned data are not supported !";
return new InterpreterResult(InterpreterResult.Code.ERROR, errorMsg);
}
if (!lowerCaseSql.startsWith("insert into") &&
lowerCaseSql.contains("select") && !lowerCaseSql.contains("where")) {
String errorMsg = "There must have 'where' condition ,you can use where 1=1 ;";
return new InterpreterResult(InterpreterResult.Code.ERROR, errorMsg);
}
String result = sparkInterpreter.getZeppelinContext()
.showData(method.invoke(sqlContext, sql), maxResult);
context.out.write(result);
Expand Down Expand Up @@ -150,6 +161,20 @@ public InterpreterResult internalInterpret(String st, InterpreterContext context
return new InterpreterResult(Code.SUCCESS);
}

private boolean isNotMatcherWithGioRequest(String query){
String lowQuery = query.toLowerCase();
//1. 删库
if (lowQuery.contains("drop database")) return true;
//2. 删表
if (lowQuery.contains("drop table") || lowQuery.contains("truncate table")
|| lowQuery.contains("delete from table")) return true;
//3. 删分区
if(lowQuery.startsWith("alter table") || lowQuery.contains("alter table")){
if (lowQuery.contains("drop partition")) return true;
}
return false;
}

@Override
public void cancel(InterpreterContext context) throws InterpreterException {
SparkContext sc = sparkInterpreter.getSparkContext();
Expand Down