Principle:Apache Dolphinscheduler Parameter Validation And Transformation
| Knowledge Sources | |
|---|---|
| Domains | Data_Integration, Security |
| Last Updated | 2026-02-10 00:00 GMT |
Overview
A security-focused validation and transformation pipeline that sanitizes datasource parameters against injection attacks, validates connection details, and transforms user input into secure internal connection parameters with encoded passwords.
Description
The Parameter Validation and Transformation principle provides a multi-layer defense for datasource configuration. AbstractDataSourceProcessor.checkDatasourceParam() validates: (1) host against IPv4/IPv6 patterns to prevent host injection, (2) database name against an allowed character pattern, and (3) other parameters against a blocklist of known malicious JDBC parameters (allowLoadLocalInfile, autoDeserialize, allowLocalInfile, allowUrlInLocalInfile) that could enable file read attacks or deserialization exploits.
After validation, the transformation step creates a ConnectionParam with the password encoded via PasswordUtils.encodePassword() (XOR with configurable salt, then Base64) and the JDBC URL constructed from individual components.
Usage
Validation is mandatory for all datasource operations. It is called automatically by the DataSourceUtils.checkDatasourceParam() facade. The transformation is performed by the processors createConnectionParams() method.
Theoretical Basis
The validation follows Defense in Depth with multiple validation layers:
checkDatasourceParam(dto):
checkHost(dto.host) // Layer 1: IP/hostname validation
checkDatabasePatter(dto.db) // Layer 2: Database name pattern
checkOther(dto.other) // Layer 3: Block malicious JDBC params
transform(dto) -> ConnectionParam:
param.password = PasswordUtils.encodePassword(dto.password) // XOR + Base64
param.jdbcUrl = buildUrl(dto.host, dto.port, dto.database)
param.driverClassName = getDatasourceDriver()
return param