shardingsphere H2database snyk issue

[xs996]

Which version of ShardingSphere did you use?

shardingsphere-jdbc-core 5.4.1

Which project did you use? ShardingSphere-JDBC or ShardingSphere-Proxy?

ShardingSphere-JDBC

Expected behavior

snyk scan passed

Actual behavior

snyk reported a high issue about h2database

Reason analyze (If you can)

When we use h2database, snyk provides a high issue, and prompts that it cannot be repaired, The following is a detailed report:

_Affected versions of this package are vulnerable to Remote Code Execution (RCE). It provides a web console for managing the database, and by default it does not have a password set. The CREATE ALIAS function calls Java code, allowing an attacker to execute arbitrary Java code on projects running the h2 database.

Snyk report link: https://security.snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-31685

Steps to reproduce the behavior, such as: SQL to execute, sharding rule configuration, when exception occur etc.

snyk monitor

Example codes for reproduce this issue (such as a github link).

Snyk report link: https://security.snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-31685

[linghengqian]

• I tend to think this is a false positive from a low-quality security platform, since CVE-2018-10054 as pointed out by https://security.snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-31685 , and com.h2database:h2 almost doesn't matter. This CVE comes from com.datomic:datomic-free, which org.apache.shardingsphere:shardingsphere-jdbc does not depend on. Refer to https://github.com/advisories/GHSA-9pf8-qqhm-7w64 .

• I recommend you check further with Synk.

[xs996]

I don't think this is a false positive from Snyk, here are the details I provided： As you can see from the report, the current issue comes from shardingsphere-jdbc-core->shardingsphere-standalone-model-repository-jdbc->h2

[xs996]

I found from the documentation that when I use Mode: Standalone I have to use H2 or MySQL to load my metadata，But we did not use the above database. Is there any way to remove h2database from source code?

[linghengqian]

• Snyk only reported CVE-2018-10054, which is not specific to h2database. You need to check the original report of CVE.

• You can set the place to keep Metadata to other JDBC URL, whether it is MySQL or PostgreSQL.

[20001931]

Snyk reported https://security.snyk.io/vuln/SNYK-JAVA-COMH2DATABASE-2331071 please double check this high issue h2database import from shardingsphere 5.4.1 ![Uploading Screenshot 2024-03-27 104037.png…]()

To be honest,Metadata only keep in storage in H2 or MySQL ,that is not good idea,as you konw ,sometime we have not any choice，at this moment we just only use MSSQL ,but Snyk reported SNYK-JAVA-COMH2DATABASE-2331071 for Metadata in H2,Is it true that we have to build other MySQL for Metadata ,I think that is very funny！

[xs996]

• You can set the place to keep Metadata to other JDBC URL, whether it is MySQL or PostgreSQL.

If I don't use h2datbase and mysql to save my metadata, what should I do? Is there any corresponding documentation? Because I found in the documentation that Database Repository only supports H2 and Mysql

[linghengqian]

• To add support for Postgres, TiDB or other databases, you need to add files like https://github.com/apache/shardingsphere/tree/master/mode%2Ftype%2Fstandalone%2Frepository%2Fprovider%2Fjdbc%2Fsrc%2Fmain%2Fresources%2Fsql to the /sql/ folder of the project's classpath. These xml files define how ShardingSphere CRUDs the database to save metadata. These files do not take into account SPI.

• Or you can use cluster mode, in which case the metadata is in zoookeeper etc.

• IMHO, the original CVE description is Illogical, as h2database V2 does not allow access to the web console by default. This CVE is for the com.datomic:datomic-free dependency. For this CVE, the maintainer has requested to revoke the CVE, and you can see that the CVE has been marked as disputed.

[20001931]

thank your suggestion，let us try it

[linghengqian]

• It's hard to say what the significance of this issue is, because the h2database team does not think this CVE is meaningful. Unless someone plans to provide the ShardingSphere Standalone mode implementation for org.hsqldb:hsqldb:2.7.2 or org.apache.derby:derby:10.17.1.0, two of the alternatives to h2database.

[20001931]

I have other question for encrypt password for DB in shardingsphere 5.4.1 Could you provide suggestion for encrypt password for DB?

[linghengqian]

• If you’re referring to encrypting a metadata entry in the Zookeeper or H2database Metadata Repository that stores a database password, this requires a separate mode SPI implementation.

• And considering the US export controls and China export controls that come with the concept of encryption algorithms, which also involve Apache LICENSE conflicts with regulatory approaches, you’ll want to consider a closed source implementation of your own.

• If you just need to encrypt a local YAML configuration file, you can do this in a separate org.apache.shardingsphere.infra.url.ShardingSphereURLLoader implementation, such as MD5 salted with a private key. Refer to https://shardingsphere.apache.org/document/current/en/user-manual/shardingsphere-jdbc/yaml-config/jdbc-driver/known-implementation/ .

• IMHO, this topic has gone beyond the current issue description, and I fully recommend opening a new issue.

[20001931]

I have checked shardingsphere 5.4.1,https://github.com/apache/shardingsphere/tree/5.4.1/infra/executor/src there is not any class org.apache.shardingsphere.infra.url.ShardingSphereURLLoader.

org.apache.shardingsphere shardingsphere-infra-url 5.4.2-SNAPSHOT

just need to encrypt a local YAML configuration file

[linghengqian]

• @20001931 I remember another PMC and I refactored the related SPI design to support potential file transformations at the 5.5.0 milestone, so you need to manually compile the master branch at this stage.

• As for when 5.5.0 will be released, this is not a question that can be discussed on github.com, you need to go to the shardingsphere mailing list to discuss it.

[20001931]

I have other question for decrypt password for DB in shardingsphere 5.4.1 As you konw i have encrypted password for DB in classpath yaml But where i intercept code shardingsphere read classpath yaml? url: jdbc:shardingsphere:classpath:sharding-dev.yaml?placeholder-type=system_props password: $${fixture.config.driver.password::} I konw can use URLArgumentLineRender to replace $${} But where i intercept code shardingsphere initiative read classpath yaml

[linghengqian]

• I'm not sure what you are talking about. A custom implementation of org.apache.shardingsphere.infra.url.ShardingSphereURLLoader can place the key of a certain private key inside. When such an implementation exists, you can directly reference the YAML file containing the encryption information. I assume that the string returned by your implementation of getType() is classpath-with-encrypt.

  jdbc:shardingsphere:classpath-with-encrypt:config.yaml

• org.apache.shardingsphere.infra.url.ShardingSphereURLLoader can also read JDBCURL parameters, it depends on whether you need to pass in the public key for verification.
• This is completely beyond what the issue describes. I don't think there's any way to handle a PR without opening a new issue.

[20001931]

you did not get my point ,i konw to use ShardingSphereURLLoader reading YAML file,But i need to intercept code jdbcRepositoryProps.getValue(JDBCRepositoryPropertyKey.PASSWORD)) The password which i have encrypted in YAML file I need to decrypt this password and retuen the ShardingSphere dataSource you can not intercept the ShardingSphere dataSource if you just custom implementation ShardingSphereURLLoader May i konw how to intercept props in JDBCRepositoryProperties jdbcRepositoryProps = new JDBCRepositoryProperties(props); I need to change props before JDBCRepository init

[linghengqian]

• The easiest way to do this is to implement a custom Mode, which is a repeatable operation.

[20001931]

Could you share more detail? Where i can refer to code template? Do you mean use SPI org.apache.shardingsphere.mode.repository.standalone.StandalonePersistRepository point to custom implementation class?

[linghengqian]

• The answer is yes. See https://shardingsphere.apache.org/document/current/en/dev-manual/mode/. I still don't think that encrypting entries within a YAML file requires a reimplementation of Mode, as you said earlier, only encrypting local files.

• It's hard to say what the reference template is, since under normal circumstances, JDBC implementations cover most scenarios. Just refer to the processing of normal unit tests.

[20001931]

I got you point ,you mean i need change SPI org.apache.shardingsphere.mode.repository.standalone.StandalonePersistRepository to custom implementation class for example (JDBCRepositoryAli.class ) ,so i will control dataSource init ,that is right?

[linghengqian]

I got you point ,you mean i need change SPI org.apache.shardingsphere.mode.repository.standalone.StandalonePersistRepository to custom implementation class for example (JDBCRepositoryAli.class ) ,so i will control dataSource init ,that is right?

• Yes.

[xs996]

Regarding database password encryption, I submitted a new Issue: https://github.com/apache/shardingsphere/issues/30896 I will close this issue

[linghengqian]

• To summarize, I've opened #30926. I don't have time to deal with it at the moment. Maybe the related issues will be resolved at the 5.6.0 milestone.

[linghengqian]

https://shardingsphere.apache.org/document/current/cn/user-manual/common-config/builtin-algorithm/metadata-repository/ has been updated by #32192. Now you can use MySQL Server, Embedded Derby, Derby Network Server, HyperSQL HSQL Server, HyperSQL HTTP Server, HyperSQL HTTP Servlet, (Embedded) HyperSQL to configure ShardingSphere Standalone Mode. So-called MySQL Server-compatible databases such as TiDB should also work.