dolphinscheduler [Bug] [Pytorch] There is no security check for GitProjectManager.getGitUrl, which could cause command injection

[Bug] [Pytorch] There is no security check for GitProjectManager.getGitUrl, which could cause command injection

Open Liyw979 opened this issue 10 months ago • 1 comments

Search before asking

[X] I had searched in the issues and found no similar issues.

What happened

https://github.com/apache/dolphinscheduler/blob/8fc204940f7be5cf356f63dd223bc599f857fe69/dolphinscheduler-task-plugin/dolphinscheduler-task-pytorch/src/main/java/org/apache/dolphinscheduler/plugin/task/pytorch/GitProjectManager.java#L47-L50 There is no input validation for getGitUrl and users could put shell commands here.

What you expected to happen

ensure the getGitUrl is a valid url

How to reproduce

Anything else

No response

Version

dev

Are you willing to submit PR?

[ ] Yes I am willing to submit a PR!

Code of Conduct

[X] I agree to follow this project's Code of Conduct

Apr 18 '24 10:04 Liyw979

I will solve this problem

Apr 19 '24 02:04 cntigers

dolphinscheduler dolphinscheduler copied to clipboard

[Bug] [Pytorch] There is no security check for GitProjectManager.getGitUrl, which could cause command injection

Search before asking

What happened

What you expected to happen

How to reproduce

Anything else

Version

Are you willing to submit PR?

Code of Conduct

dolphinscheduler
dolphinscheduler copied to clipboard