Follow up on GH-16622 - handle also string with URL encoding characters (#16631)

valenad1 · web-flow · commit 0298ee348f5c · 2025-07-15T12:09:39.000+02:00
diff --git a/h2o-core/src/main/java/water/jdbc/SQLManager.java b/h2o-core/src/main/java/water/jdbc/SQLManager.java
@@ -4,6 +4,7 @@
 import water.fvec.*;
 import water.parser.ParseDataset;
 import water.util.Log;
+import water.util.StringUtils;
 
 import java.io.UnsupportedEncodingException;
 import java.net.URI;
@@ -614,11 +615,29 @@ public static void validateJdbcUrl(String jdbcUrl) throws IllegalArgumentExcepti
       throw new IllegalArgumentException("JDBC URL is null or empty");
     }
 
-    if (!jdbcUrl.toLowerCase().startsWith("jdbc:")) {
+    String previous = null;
+    String jdbcUrlDecode = jdbcUrl;
+    try {
+      for (int i = 0; i < 10; i++) {
+        previous = jdbcUrlDecode;
+        jdbcUrlDecode = URLDecoder.decode(jdbcUrlDecode, "UTF-8");
+        if (previous.equals(jdbcUrlDecode)) {
+          break;
+        }
+      }
+    } catch (UnsupportedEncodingException e) {
+      throw new IllegalArgumentException("JDBC URL has wrong encoding");
+    }
+    
+    if (!previous.equals(jdbcUrlDecode)) {
+      throw new IllegalArgumentException("JDBC URL contains invalid characters");
+    }
+
+    if (!jdbcUrlDecode.toLowerCase().startsWith("jdbc:")) {
       throw new IllegalArgumentException("JDBC URL must start with 'jdbc:'");
     }
 
-    Matcher matcher = JDBC_PARAMETERS_REGEX_PATTERN.matcher(jdbcUrl);
+    Matcher matcher = JDBC_PARAMETERS_REGEX_PATTERN.matcher(jdbcUrlDecode);
     String property = System.getProperty(DISALLOWED_JDBC_PARAMETERS_PARAM);
     List<String> disallowedParameters = property == null ?
             DEFAULT_JDBC_DISALLOWED_PARAMETERS :
diff --git a/h2o-core/src/test/java/water/jdbc/SQLManagerTest.java b/h2o-core/src/test/java/water/jdbc/SQLManagerTest.java
@@ -226,6 +226,26 @@ public void testValidateJdbcConnectionStringMysqlOneParameter() {
     SQLManager.validateJdbcUrl(jdbcConnection);
   }
 
+  @Test
+  public void testValidateJdbcConnectionStringMysqlDoubleEncodedString() {
+    exception.expect(IllegalArgumentException.class);
+    exception.expectMessage("Potentially dangerous JDBC parameter found: allowLoadLocalInfile");
+
+    String jdbcConnection = "jdbc%3Amysql%3A%2F%2F127.0.0.1%3A3308%2Ftest%3F+%2561%256c%256c%256f%2577%254c%256f%2561%2564%254c%256f%2563%2561%256c%2549%256e%2566%2569%256c%2565%3Dtrue%26+%2561%256c%256c%256f%2577%2555%2572%256c%2549%256e%254c%256f%2563%2561%256c%2549%256e%2566%2569%256c%2565%3Dtrue&table=a&username=fileread_/etc/passwd&password=123123&fetch_mode=SINGLE";
+
+    SQLManager.validateJdbcUrl(jdbcConnection);
+  }
+
+  @Test
+  public void testValidateJdbcConnectionStringMysqlMultipleEncodedString() {
+    exception.expect(IllegalArgumentException.class);
+    exception.expectMessage("JDBC URL contains invalid characters");
+
+    String jdbcConnection = "jdbc%2525252525252525253Amysql%2525252525252525253A%2525252525252525252F%2525252525252525252F127.0.0.1%2525252525252525253A3308%2525252525252525252Ftest%2525252525252525253F%25252525252525252B%2525252525252525252561%252525252525252525256c%252525252525252525256c%252525252525252525256f%2525252525252525252577%252525252525252525254c%252525252525252525256f%2525252525252525252561%2525252525252525252564%252525252525252525254c%252525252525252525256f%2525252525252525252563%2525252525252525252561%252525252525252525256c%2525252525252525252549%252525252525252525256e%2525252525252525252566%2525252525252525252569%252525252525252525256c%2525252525252525252565%2525252525252525253Dtrue%25252525252525252526%25252525252525252B%2525252525252525252561%252525252525252525256c%252525252525252525256c%252525252525252525256f%2525252525252525252577%2525252525252525252555%2525252525252525252572%252525252525252525256c%2525252525252525252549%252525252525252525256e%252525252525252525254c%252525252525252525256f%2525252525252525252563%2525252525252525252561%252525252525252525256c%2525252525252525252549%252525252525252525256e%2525252525252525252566%2525252525252525252569%252525252525252525256c%2525252525252525252565%2525252525252525253Dtrue%252525252525252526table%25252525252525253Da%252525252525252526username%25252525252525253Dfileread_%25252525252525252Fetc%25252525252525252Fpasswd%252525252525252526password%25252525252525253D123123%252525252525252526fetch_mode%25252525252525253DSINGLE";
+
+    SQLManager.validateJdbcUrl(jdbcConnection);
+  }
+
   /**
    * Test fail if any exception is thrown therefore no assert
    */
