Fixes from security review

aws · Nov 3, 2020 · 1d0e79c · 1d0e79c
1 parent 2315ad5
commit 1d0e79c
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 24 deletions.
diff --git a/pom.xml b/pom.xml
@@ -33,6 +33,7 @@
 
         <waffle-jna.version>1.9.1</waffle-jna.version>
         <checkstyle.version>8.29</checkstyle.version>
+        <jackson.version>2.11.3</jackson.version>
         <dependent_lib_dir>${basedir}/dependent_libs</dependent_lib_dir>
         <!-- Configuration for maven-surefire-plugin. Needs to be here for compatibility with jacoco -->
         <argLine>-Xmx512m</argLine>
@@ -76,7 +77,6 @@
             <artifactId>httpclient</artifactId>
             <version>4.5.2</version>
         </dependency>
-
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter-engine</artifactId>
@@ -400,22 +400,13 @@
                     <archive>
                         <manifest>
                             <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
+                            <addClasspath>true</addClasspath>
                         </manifest>
                         <manifestEntries>
                             <Main-Class>com.amazon.redshift.util.RedshiftJDBCMain</Main-Class>
                             <Specification-Title>JDBC</Specification-Title>
                             <Specification-Version>${jdbc.specification.version}</Specification-Version>
                             <Specification-Vendor>Oracle Corporation</Specification-Vendor>
-                            <Class-Path>aws-java-sdk-core-1.11.118.jar aws-java-sdk-redshift-1.11.118.jar
-                                aws-java-sdk-sts-1.11.118.jar commons-codec-1.9.jar 
-                                commons-logging-1.1.3.jar commons-logging-1.2.jar
-                                httpclient-4.5.2.jar httpcore-4.4.4.jar 
-                                jackson-annotations-2.10.1.jar jackson-core-2.10.1.jar 
-                                jackson-databind-2.10.1.jar jackson-dataformat-cbor-2.10.1.jar 
-                                jackson-annotations-2.6.0.jar jackson-core-2.6.6.jar 
-                                jackson-databind-2.6.6.jar jackson-dataformat-cbor-2.6.6.jar 
-                                joda-time-2.8.1.jar
-                            </Class-Path>
                             <Automatic-Module-Name>com.amazon.redshift.jdbc</Automatic-Module-Name>
                         </manifestEntries>
                         <manifestFile>${project.build.outputDirectory}/META-INF/MANIFEST.MF</manifestFile>
@@ -778,7 +769,8 @@
                         <failOnViolation>true</failOnViolation>
                         <failsOnError>true</failsOnError>
                         <consoleOutput>true</consoleOutput>
-                        <includeTestSourceDirectory>true</includeTestSourceDirectory>
+                        <includeTestSourceDirectory>true
+                        </includeTestSourceDirectory>
                     </configuration>
                 </plugin>
 
@@ -788,7 +780,26 @@
 
     <dependencyManagement>
         <dependencies>
-
+            <dependency>
+                <groupId>com.fasterxml.jackson.core</groupId>
+                <artifactId>jackson-databind</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.core</groupId>
+                <artifactId>jackson-core</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.core</groupId>
+                <artifactId>jackson-annotations</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
+            <dependency>
+                <groupId>com.fasterxml.jackson.dataformat</groupId>
+                <artifactId>jackson-dataformat-cbor</artifactId>
+                <version>${jackson.version}</version>
+            </dependency>
             <dependency>
                 <groupId>se.jiderhamn</groupId>
                 <artifactId>classloader-leak-test-framework</artifactId>

diff --git a/src/main/java/com/amazon/redshift/core/v3/ConnectionFactoryImpl.java b/src/main/java/com/amazon/redshift/core/v3/ConnectionFactoryImpl.java
@@ -377,10 +377,6 @@ private List<String[]> getParametersForStartup(String user, String database, Pro
 	    if (pluginName != null && pluginName.length() != 0) {
 		    paramList.add(new String[]{"plugin_name",pluginName});
 	    }
-
-	    // Send protocol version as 1, so server can send optimized extended RSMD.
-//	    paramList.add(new String[]{"client_protocol_version",Integer.toString(EXTENDED_RESULT_METADATA_SERVER_PROTOCOL_VERSION)});
-
     } // New parameters
 
     String replication = RedshiftProperty.REPLICATION.get(info);
@@ -580,7 +576,7 @@ private void doAuthentication(RedshiftStream pgStream, String host, String user,
               case AUTH_REQ_MD5: {
                 byte[] md5Salt = pgStream.receive(4);
                 if(RedshiftLogger.isEnable()) {
-                  logger.log(LogLevel.DEBUG, " <=BE AuthenticationReqMD5(salt={0})", Utils.toHexString(md5Salt));
+                  logger.log(LogLevel.DEBUG, " <=BE AuthenticationReqMD5");
                 }
 
                 if (password == null) {
@@ -593,10 +589,6 @@ private void doAuthentication(RedshiftStream pgStream, String host, String user,
                 byte[] digest =
                     MD5Digest.encode(user.getBytes("UTF-8"), password.getBytes("UTF-8"), md5Salt);
 
-                if(RedshiftLogger.isEnable()) {
-                  logger.log(LogLevel.DEBUG, " FE=> Password(md5digest={0})", new String(digest, "US-ASCII"));
-                }
-
                 pgStream.sendChar('p');
                 pgStream.sendInteger4(4 + digest.length + 1);
                 pgStream.send(digest);

diff --git a/src/main/java/com/amazon/redshift/jdbc/RedshiftResultSet.java b/src/main/java/com/amazon/redshift/jdbc/RedshiftResultSet.java
@@ -2114,6 +2114,17 @@ public boolean wasNull() throws SQLException {
     return wasNullFlag;
   }
 
+  private boolean isCharType(int columnIndex) throws SQLException {
+  	int colType = getSQLType(columnIndex);
+
+  	return (colType == Types.VARCHAR
+  						|| colType == Types.CHAR
+  						|| colType == Types.LONGVARCHAR
+  						|| colType == Types.NVARCHAR
+  						|| colType == Types.NCHAR
+  						|| colType == Types.LONGNVARCHAR);
+  }
+
   @Override
   public String getString(int columnIndex) throws SQLException {
     if (RedshiftLogger.isEnable()) 
@@ -2125,7 +2136,8 @@ public String getString(int columnIndex) throws SQLException {
     }
 
     // varchar in binary is same as text, other binary fields are converted to their text format
-    if (isBinary(columnIndex) && getSQLType(columnIndex) != Types.VARCHAR) {
+    if (isBinary(columnIndex) 
+    			&& !isCharType(columnIndex)) {
       Field field = fields[columnIndex - 1];
       Object obj = internalGetObject(columnIndex, field);
       if (obj == null) {
@@ -2230,7 +2242,12 @@ public boolean getBoolean(int columnIndex) throws SQLException {
     int col = columnIndex - 1;
     if (Oid.BOOL == fields[col].getOID()) {
       final byte[] v = thisRow.get(col);
-      return (1 == v.length) && (116 == v[0]); // 116 = 't'
+      if (isBinary(columnIndex)) {
+      	return (1 == v.length) && (1 == v[0]);      	
+      }
+      else {
+      	return (1 == v.length) && (116 == v[0]); // 116 = 't'
+      }
     }
 
     if (isBinary(columnIndex)) {
@@ -3367,6 +3384,7 @@ private long readLongValue(byte[] bytes, int oid, long minVal, long maxVal, Stri
         val = ByteConverter.int2(bytes, 0);
         break;
       case Oid.INT4:
+      case Oid.OID:
         val = ByteConverter.int4(bytes, 0);
         break;
       case Oid.INT8: