From 037a91ba30bd7ac028f6cbbe8980937e836b8ea0 Mon Sep 17 00:00:00 2001
From: Mighten Dai <mighten@outlook.com>
Date: Wed, 18 Sep 2024 09:54:14 +0800
Subject: [PATCH] Code Review Update 2nd: - Removed redundant dependency:
 `bcprov-jdk15on-1.69.jar` - Relocated Tencent COS Constants - Fixed CodeQL:
 Uncontrolled data used in path expression

---
 .../common/constants/Constants.java           |  3 ---
 .../storage/cos/CosStorageConstants.java      | 26 +++++++++++++++++++
 .../storage/cos/CosStorageOperator.java       |  8 ++++--
 .../cos/CosStorageOperatorFactory.java        |  9 +++----
 .../plugin/task/api/TaskConstants.java        |  6 -----
 tools/dependencies/known-dependencies.txt     |  1 -
 6 files changed, 36 insertions(+), 17 deletions(-)
 create mode 100644 dolphinscheduler-storage-plugin/dolphinscheduler-storage-cos/src/main/java/org/apache/dolphinscheduler/plugin/storage/cos/CosStorageConstants.java

diff --git a/dolphinscheduler-common/src/main/java/org/apache/dolphinscheduler/common/constants/Constants.java b/dolphinscheduler-common/src/main/java/org/apache/dolphinscheduler/common/constants/Constants.java
index 853d7d26d9b7..254896a27cc0 100644
--- a/dolphinscheduler-common/src/main/java/org/apache/dolphinscheduler/common/constants/Constants.java
+++ b/dolphinscheduler-common/src/main/java/org/apache/dolphinscheduler/common/constants/Constants.java
@@ -125,9 +125,6 @@ public final class Constants {
     public static final String HUAWEI_CLOUD_OBS_BUCKET_NAME = "resource.huawei.cloud.obs.bucket.name";
     public static final String HUAWEI_CLOUD_OBS_END_POINT = "resource.huawei.cloud.obs.endpoint";
 
-    public static final String TENCENT_CLOUD_COS_BUCKET_NAME = "resource.tencent.cloud.cos.bucket.name";
-    public static final String TENCENT_CLOUD_COS_REGION = "resource.tencent.cloud.cos.region";
-
     /**
      * fetch applicationId way
      */
diff --git a/dolphinscheduler-storage-plugin/dolphinscheduler-storage-cos/src/main/java/org/apache/dolphinscheduler/plugin/storage/cos/CosStorageConstants.java b/dolphinscheduler-storage-plugin/dolphinscheduler-storage-cos/src/main/java/org/apache/dolphinscheduler/plugin/storage/cos/CosStorageConstants.java
new file mode 100644
index 000000000000..324ab05bf5d4
--- /dev/null
+++ b/dolphinscheduler-storage-plugin/dolphinscheduler-storage-cos/src/main/java/org/apache/dolphinscheduler/plugin/storage/cos/CosStorageConstants.java
@@ -0,0 +1,26 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.dolphinscheduler.plugin.storage.cos;
+
+public class CosStorageConstants {
+
+    public static final String TENCENT_CLOUD_COS_BUCKET_NAME = "resource.tencent.cloud.cos.bucket.name";
+    public static final String TENCENT_CLOUD_COS_REGION = "resource.tencent.cloud.cos.region";
+    public static final String TENCENT_CLOUD_ACCESS_KEY_ID = "resource.tencent.cloud.access.key.id";
+    public static final String TENCENT_CLOUD_ACCESS_KEY_SECRET = "resource.tencent.cloud.access.key.secret";
+}
diff --git a/dolphinscheduler-storage-plugin/dolphinscheduler-storage-cos/src/main/java/org/apache/dolphinscheduler/plugin/storage/cos/CosStorageOperator.java b/dolphinscheduler-storage-plugin/dolphinscheduler-storage-cos/src/main/java/org/apache/dolphinscheduler/plugin/storage/cos/CosStorageOperator.java
index c3286230af54..71ef3d9b3f82 100644
--- a/dolphinscheduler-storage-plugin/dolphinscheduler-storage-cos/src/main/java/org/apache/dolphinscheduler/plugin/storage/cos/CosStorageOperator.java
+++ b/dolphinscheduler-storage-plugin/dolphinscheduler-storage-cos/src/main/java/org/apache/dolphinscheduler/plugin/storage/cos/CosStorageOperator.java
@@ -35,6 +35,7 @@
 import java.io.InputStreamReader;
 import java.nio.file.FileAlreadyExistsException;
 import java.nio.file.Files;
+import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.util.ArrayList;
 import java.util.HashSet;
@@ -133,8 +134,11 @@ public void createStorageDir(String directoryAbsolutePath) {
     @Override
     public void download(String srcFilePath, String dstFilePath, boolean overwrite) {
         String cosKey = transformAbsolutePathToCOSKey(srcFilePath);
-
-        File dstFile = Paths.get(dstFilePath).normalize().toFile();
+        Path normalizedFilePath = Paths.get(dstFilePath).normalize();
+        if (normalizedFilePath.startsWith("/etc")) {
+            throw new IllegalArgumentException("failed to download to " + normalizedFilePath);
+        }
+        File dstFile = normalizedFilePath.toFile();
         if (dstFile.isDirectory()) {
             Files.delete(dstFile.toPath());
         } else {
diff --git a/dolphinscheduler-storage-plugin/dolphinscheduler-storage-cos/src/main/java/org/apache/dolphinscheduler/plugin/storage/cos/CosStorageOperatorFactory.java b/dolphinscheduler-storage-plugin/dolphinscheduler-storage-cos/src/main/java/org/apache/dolphinscheduler/plugin/storage/cos/CosStorageOperatorFactory.java
index d978d7a9d6ab..bd48b25f3897 100644
--- a/dolphinscheduler-storage-plugin/dolphinscheduler-storage-cos/src/main/java/org/apache/dolphinscheduler/plugin/storage/cos/CosStorageOperatorFactory.java
+++ b/dolphinscheduler-storage-plugin/dolphinscheduler-storage-cos/src/main/java/org/apache/dolphinscheduler/plugin/storage/cos/CosStorageOperatorFactory.java
@@ -22,7 +22,6 @@
 import org.apache.dolphinscheduler.plugin.storage.api.StorageOperator;
 import org.apache.dolphinscheduler.plugin.storage.api.StorageOperatorFactory;
 import org.apache.dolphinscheduler.plugin.storage.api.StorageType;
-import org.apache.dolphinscheduler.plugin.task.api.TaskConstants;
 
 import java.util.Map;
 
@@ -47,10 +46,10 @@ private CosStorageProperties getCosStorageProperties() {
         Map<String, String> cosPropertiesMap = PropertyUtils.getByPrefix("resource.tencent.cloud");
 
         return CosStorageProperties.builder()
-                .region(cosPropertiesMap.get(Constants.TENCENT_CLOUD_COS_REGION))
-                .accessKeyId(cosPropertiesMap.get(TaskConstants.TENCENT_CLOUD_ACCESS_KEY_ID))
-                .accessKeySecret(cosPropertiesMap.get(TaskConstants.TENCENT_CLOUD_ACCESS_KEY_SECRET))
-                .bucketName(cosPropertiesMap.get(Constants.TENCENT_CLOUD_COS_BUCKET_NAME))
+                .region(cosPropertiesMap.get(CosStorageConstants.TENCENT_CLOUD_COS_REGION))
+                .accessKeyId(cosPropertiesMap.get(CosStorageConstants.TENCENT_CLOUD_ACCESS_KEY_ID))
+                .accessKeySecret(cosPropertiesMap.get(CosStorageConstants.TENCENT_CLOUD_ACCESS_KEY_SECRET))
+                .bucketName(cosPropertiesMap.get(CosStorageConstants.TENCENT_CLOUD_COS_BUCKET_NAME))
                 .resourceUploadPath(cosPropertiesMap.getOrDefault(Constants.RESOURCE_UPLOAD_PATH, "/dolphinscheduler"))
                 .build();
     }
diff --git a/dolphinscheduler-task-plugin/dolphinscheduler-task-api/src/main/java/org/apache/dolphinscheduler/plugin/task/api/TaskConstants.java b/dolphinscheduler-task-plugin/dolphinscheduler-task-api/src/main/java/org/apache/dolphinscheduler/plugin/task/api/TaskConstants.java
index f78532679a30..77fd8db7fa5d 100644
--- a/dolphinscheduler-task-plugin/dolphinscheduler-task-api/src/main/java/org/apache/dolphinscheduler/plugin/task/api/TaskConstants.java
+++ b/dolphinscheduler-task-plugin/dolphinscheduler-task-api/src/main/java/org/apache/dolphinscheduler/plugin/task/api/TaskConstants.java
@@ -389,12 +389,6 @@ private TaskConstants() {
     public static final String HUAWEI_CLOUD_ACCESS_KEY_ID = "resource.huawei.cloud.access.key.id";
     public static final String HUAWEI_CLOUD_ACCESS_KEY_SECRET = "resource.huawei.cloud.access.key.secret";
 
-    /**
-     * tencent cloud config
-     */
-    public static final String TENCENT_CLOUD_ACCESS_KEY_ID = "resource.tencent.cloud.access.key.id";
-    public static final String TENCENT_CLOUD_ACCESS_KEY_SECRET = "resource.tencent.cloud.access.key.secret";
-
     /**
      * use for k8s task
      */
diff --git a/tools/dependencies/known-dependencies.txt b/tools/dependencies/known-dependencies.txt
index 84ddb76f5ffa..aeb538c1586a 100644
--- a/tools/dependencies/known-dependencies.txt
+++ b/tools/dependencies/known-dependencies.txt
@@ -24,7 +24,6 @@ aws-java-sdk-dms-1.12.300.jar
 aws-json-protocol-2.17.282.jar
 bcpkix-jdk15on-1.69.jar
 bcprov-ext-jdk15on-1.69.jar
-bcprov-jdk15on-1.69.jar
 bcutil-jdk15on-1.69.jar
 bonecp-0.8.0.RELEASE.jar
 bucket4j-core-6.2.0.jar