Heuristic:Apache Dolphinscheduler JDBC Security Blocklist
| Knowledge Sources | |
|---|---|
| Domains | Security, Data_Integration |
| Last Updated | 2026-02-10 10:00 GMT |
Overview
Security blocklist for JDBC connection parameters: blocks `allowLoadLocalInfile` to prevent local file read attacks via MySQL's LOAD DATA LOCAL INFILE feature.
Description
DolphinScheduler's `AbstractDataSourceProcessor` maintains a blocklist of malicious JDBC parameters that users cannot pass through the datasource configuration UI. Currently, the blocklist contains `allowLoadLocalInfile`, a MySQL JDBC parameter that enables the `LOAD DATA LOCAL INFILE` SQL statement. This statement can be exploited to read arbitrary files from the database server's filesystem, creating a serious security vulnerability if a user creates a malicious datasource connection.
Additionally, all parameter keys and values are validated against regex patterns to prevent injection attacks. Host addresses are validated against IPv4/IPv6 patterns, and database names are restricted to alphanumeric characters, underscores, hyphens, and dots.
Usage
Apply this heuristic when adding new datasource types or reviewing datasource security. Any new JDBC parameter that could enable file system access, code execution, or network access should be added to the `POSSIBLE_MALICIOUS_KEYS` set. The blocklist is checked in `checkOther()` before any connection is established.
The Insight (Rule of Thumb)
- Action: Never allow users to pass `allowLoadLocalInfile` (or similar dangerous JDBC parameters) through the datasource configuration.
- Value: Blocklist: `{"allowLoadLocalInfile"}`. Validation regex for params: `^[a-zA-Z0-9\-\_\/\@\.\:]+$`.
- Trade-off: Blocks legitimate use of `LOAD DATA LOCAL INFILE` for bulk data loading. Users needing this feature must configure it directly in the database server, not through DolphinScheduler.
Reasoning
MySQL's `allowLoadLocalInfile=true` JDBC parameter enables `LOAD DATA LOCAL INFILE` which reads files from the client machine (the DolphinScheduler server). An attacker with datasource creation privileges could craft a connection that reads `/etc/passwd`, application configuration files, or private keys from the server. This is a well-known MySQL attack vector documented by OWASP and CVE databases.
Code evidence from `AbstractDataSourceProcessor.java:54`:
private static final Set<String> POSSIBLE_MALICIOUS_KEYS = Sets.newHashSet("allowLoadLocalInfile");
Blocklist check from `AbstractDataSourceProcessor.java:94-101`:
protected void checkOther(Map<String, String> other) {
if (MapUtils.isEmpty(other)) {
return;
}
if (!Sets.intersection(other.keySet(), POSSIBLE_MALICIOUS_KEYS).isEmpty()) {
throw new IllegalArgumentException("Other params include possible malicious keys.");
}
Parameter value validation from `AbstractDataSourceProcessor.java:103-107`:
for (Map.Entry<String, String> entry : other.entrySet()) {
if (!PARAMS_PATTER.matcher(entry.getKey()).matches()) {
throw new IllegalArgumentException("datasource other params: " + entry.getKey() + " illegal");
}
}
Host validation patterns from `AbstractDataSourceProcessor.java:46-48`:
private static final Pattern IPV4_PATTERN = Pattern.compile("^[a-zA-Z0-9\\_\\-\\.\\,]+$");
private static final Pattern IPV6_PATTERN = Pattern.compile("^[a-zA-Z0-9\\_\\-\\.\\:\\[\\]\\,]+$");