[ZEPPELIN-6204] do not allow init params in JDBC URLs for H2

[pjfanning]

What is this PR for?

ZEPPELIN-6204

Slight tidy of the existing disallow list for strings in JDBC urls so that they are checked against just the query params and not the hostname in the URL.

What type of PR is it?

Bug Fix

Todos

• - Task

What is the Jira issue?

• Open an issue on Jira https://issues.apache.org/jira/browse/ZEPPELIN/
• Put link here, and add [ZEPPELIN-Jira number] in PR title, eg. [ZEPPELIN-533]

How should this be tested?

• Strongly recommended: add automated unit tests for any new or changed behavior
• Outline any manual steps to test the PR here.

Screenshots (if appropriate)

Questions:

• Does the license files need to update? no
• Is there breaking changes for older versions? no
• Does this needs documentation? no

[Reamer]

I don't know whether we are preventing features that others want to use with these changes.

Doesn't it make more sense to secure the H2 server according to the requirements? After all, Zeppelin is just one JDBC client of many.

[pjfanning]

@Reamer @jongyoul is it ok to consider this for merge now? There are probably a few more query params that could be added to the disallow list but this covers some of the more commonly mentioned ones.

[tbonelee]

Just a small thought. I was wondering if decoding the full URL before parsing could lead to unexpected behavior in some edge cases. For example, if a parameter value contains encoded characters like %26 (&) or %3D (=), decoding them too early might interfere with how the parameters are parsed.

I’m not sure if values like passwords are actually allowed or commonly used in this context, so this might not be relevant. But I thought it was worth mentioning just in case. 🙏

[seung-00]

could be nice to group these into a Set.

[pjfanning]

I'm happy to stick with the existing code style.

[seung-00]

could be a bit faster if the regex was cached to avoid rebuilding every time

[pjfanning]

the cost of this regex will be tiny compared to the I/O cost of using JDBC commands so I'm not very interested in optimising every line of code here

[pjfanning]

Just a small thought. I was wondering if decoding the full URL before parsing could lead to unexpected behavior in some edge cases. For example, if a parameter value contains encoded characters like %26 (&) or %3D (=), decoding them too early might interfere with how the parameters are parsed.

I’m not sure if values like passwords are actually allowed or commonly used in this context, so this might not be relevant. But I thought it was worth mentioning just in case. 🙏

The code in this PR ignores the param values. It only worries about the param names.
The original URL as entered by the user is passed to the JDBC layer - my code splits up the URL but only for my checks for suspicious param names.

[tbonelee]

@pjfanning Thanks for the clarification. I took a closer look and you're right. Decoding encoded special characters in values before validation would at most introduce an extra key, but it does not interfere with the parsing of subsequent parameters. I had initially worried about false negatives (i.e. cases where disallowed parameters might go undetected), but that doesn't seem to be the case. Thanks again, and sorry for the confusion.

[pjfanning]

@jongyoul @Reamer would you be able to review this change?

[pjfanning]

@jongyoul @Reamer would you be able to review this change? I think this fixes a couple of issues in the existing implementation.

[Reamer]

LGTM

[pjfanning]

@jongyoul do you think this could be merged?

[jongyoul]

LGTM

[pjfanning]

@jongyoul @Reamer I am not a committer so can't merge this. Would either of you be in a position to do so?

[tbonelee]

I’ve merged this into master.
Since I considered it a breaking change, I didn’t include it in branch-0.12.
Do you think it needs to be backported?

[pjfanning]

Thanks @tbonelee - I would regard it more as a bug fix or fixes. It shouldn't change the behaviour for any use cases that we want to support.