From 1d0e79c6a9d21e09930808f654fcf8124b8aefe0 Mon Sep 17 00:00:00 2001 From: ilesh Garish Date: Tue, 3 Nov 2020 16:09:10 +0000 Subject: [PATCH] Fixes from security review --- pom.xml | 37 ++++++++++++------- .../core/v3/ConnectionFactoryImpl.java | 10 +---- .../redshift/jdbc/RedshiftResultSet.java | 22 ++++++++++- 3 files changed, 45 insertions(+), 24 deletions(-) diff --git a/pom.xml b/pom.xml index c799dae..700e5e6 100644 --- a/pom.xml +++ b/pom.xml @@ -33,6 +33,7 @@ 1.9.1 8.29 + 2.11.3 ${basedir}/dependent_libs -Xmx512m @@ -76,7 +77,6 @@ httpclient 4.5.2 - org.junit.jupiter junit-jupiter-engine @@ -400,22 +400,13 @@ true + true com.amazon.redshift.util.RedshiftJDBCMain JDBC ${jdbc.specification.version} Oracle Corporation - aws-java-sdk-core-1.11.118.jar aws-java-sdk-redshift-1.11.118.jar - aws-java-sdk-sts-1.11.118.jar commons-codec-1.9.jar - commons-logging-1.1.3.jar commons-logging-1.2.jar - httpclient-4.5.2.jar httpcore-4.4.4.jar - jackson-annotations-2.10.1.jar jackson-core-2.10.1.jar - jackson-databind-2.10.1.jar jackson-dataformat-cbor-2.10.1.jar - jackson-annotations-2.6.0.jar jackson-core-2.6.6.jar - jackson-databind-2.6.6.jar jackson-dataformat-cbor-2.6.6.jar - joda-time-2.8.1.jar - com.amazon.redshift.jdbc ${project.build.outputDirectory}/META-INF/MANIFEST.MF @@ -778,7 +769,8 @@ true true true - true + true + @@ -788,7 +780,26 @@ - + + com.fasterxml.jackson.core + jackson-databind + ${jackson.version} + + + com.fasterxml.jackson.core + jackson-core + ${jackson.version} + + + com.fasterxml.jackson.core + jackson-annotations + ${jackson.version} + + + com.fasterxml.jackson.dataformat + jackson-dataformat-cbor + ${jackson.version} + se.jiderhamn classloader-leak-test-framework diff --git a/src/main/java/com/amazon/redshift/core/v3/ConnectionFactoryImpl.java b/src/main/java/com/amazon/redshift/core/v3/ConnectionFactoryImpl.java index 425807e..e967e58 100644 --- a/src/main/java/com/amazon/redshift/core/v3/ConnectionFactoryImpl.java +++ b/src/main/java/com/amazon/redshift/core/v3/ConnectionFactoryImpl.java @@ -377,10 +377,6 @@ private List getParametersForStartup(String user, String database, Pro if (pluginName != null && pluginName.length() != 0) { paramList.add(new String[]{"plugin_name",pluginName}); } - - // Send protocol version as 1, so server can send optimized extended RSMD. -// paramList.add(new String[]{"client_protocol_version",Integer.toString(EXTENDED_RESULT_METADATA_SERVER_PROTOCOL_VERSION)}); - } // New parameters String replication = RedshiftProperty.REPLICATION.get(info); @@ -580,7 +576,7 @@ private void doAuthentication(RedshiftStream pgStream, String host, String user, case AUTH_REQ_MD5: { byte[] md5Salt = pgStream.receive(4); if(RedshiftLogger.isEnable()) { - logger.log(LogLevel.DEBUG, " <=BE AuthenticationReqMD5(salt={0})", Utils.toHexString(md5Salt)); + logger.log(LogLevel.DEBUG, " <=BE AuthenticationReqMD5"); } if (password == null) { @@ -593,10 +589,6 @@ private void doAuthentication(RedshiftStream pgStream, String host, String user, byte[] digest = MD5Digest.encode(user.getBytes("UTF-8"), password.getBytes("UTF-8"), md5Salt); - if(RedshiftLogger.isEnable()) { - logger.log(LogLevel.DEBUG, " FE=> Password(md5digest={0})", new String(digest, "US-ASCII")); - } - pgStream.sendChar('p'); pgStream.sendInteger4(4 + digest.length + 1); pgStream.send(digest); diff --git a/src/main/java/com/amazon/redshift/jdbc/RedshiftResultSet.java b/src/main/java/com/amazon/redshift/jdbc/RedshiftResultSet.java index a09cbcd..c8ad3d8 100644 --- a/src/main/java/com/amazon/redshift/jdbc/RedshiftResultSet.java +++ b/src/main/java/com/amazon/redshift/jdbc/RedshiftResultSet.java @@ -2114,6 +2114,17 @@ public boolean wasNull() throws SQLException { return wasNullFlag; } + private boolean isCharType(int columnIndex) throws SQLException { + int colType = getSQLType(columnIndex); + + return (colType == Types.VARCHAR + || colType == Types.CHAR + || colType == Types.LONGVARCHAR + || colType == Types.NVARCHAR + || colType == Types.NCHAR + || colType == Types.LONGNVARCHAR); + } + @Override public String getString(int columnIndex) throws SQLException { if (RedshiftLogger.isEnable()) @@ -2125,7 +2136,8 @@ public String getString(int columnIndex) throws SQLException { } // varchar in binary is same as text, other binary fields are converted to their text format - if (isBinary(columnIndex) && getSQLType(columnIndex) != Types.VARCHAR) { + if (isBinary(columnIndex) + && !isCharType(columnIndex)) { Field field = fields[columnIndex - 1]; Object obj = internalGetObject(columnIndex, field); if (obj == null) { @@ -2230,7 +2242,12 @@ public boolean getBoolean(int columnIndex) throws SQLException { int col = columnIndex - 1; if (Oid.BOOL == fields[col].getOID()) { final byte[] v = thisRow.get(col); - return (1 == v.length) && (116 == v[0]); // 116 = 't' + if (isBinary(columnIndex)) { + return (1 == v.length) && (1 == v[0]); + } + else { + return (1 == v.length) && (116 == v[0]); // 116 = 't' + } } if (isBinary(columnIndex)) { @@ -3367,6 +3384,7 @@ private long readLongValue(byte[] bytes, int oid, long minVal, long maxVal, Stri val = ByteConverter.int2(bytes, 0); break; case Oid.INT4: + case Oid.OID: val = ByteConverter.int4(bytes, 0); break; case Oid.INT8: