[PPP-4772] RCE injection via connection's JNDI database name #5674
Conversation
dcleao
requested review from
NJtwentyone,
singletonc,
soagarwal1 and
nawaz34-hitachivantara
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
|
Note:Frogbot also supports Contextual Analysis, Secret Detection, IaC and SAST Vulnerabilities Scanning. This features are included as part of the JFrog Advanced Security package, which isn't enabled on your system. |
✅ Build finished in 24m 18sBuild command: mvn clean verify -B -e -Daudit -Djs.no.sandbox -pl \
assemblies/pentaho-solutions,core👌 All tests passed! Tests run: 570, Failures: 0, Skipped: 0 Test Results ℹ️ This is an automatic message |
| } | ||
|
|
||
| // Always non-null. | ||
| throw firstNe; |
There was a problem hiding this comment.
Sonar is complaining about this potentially being null even though it cannot be. Just mentioning, not a blocker.
| // First, try what they ask for... | ||
| dsName, |
There was a problem hiding this comment.
good java doc comments list of candidatesNames prefixes
|
|
||
| @Test( expected = DBDatasourceServiceException.class ) | ||
| public void testGetJndiDataSourceThrowsGivenNameWithDisallowedJavaScheme() throws Exception { | ||
| // This tests that it is possible to disable the java scheme via configuration! |
| * @throws ClassCastException If the given data source name resolves is that of a resource which does not implement | ||
| * {@link DataSource}. | ||
| */ | ||
| private static DataSource lookupJndiDataSourceByName( Context context, |
There was a problem hiding this comment.
code is really readable and maintainable now.
Issue: https://hv-eng.atlassian.net/browse/PPP-4772
Merge with:
/cc @pentaho/hoth