sec(store, server): disable remote access for arthasstart

Author: JisoLya

hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java

@@ -439,7 +439,7 @@ public class ServerOptions extends OptionHolder {
                     "arthas.ip",
                     "arthas bound ip",
                     disallowEmpty(),
-                    "0.0.0.0"
+                    "127.0.0.1"
             );
 
     public static final ConfigOption<String> ARTHAS_DISABLED_COMMANDS =

hugegraph-store/hg-store-node/src/main/java/org/apache/hugegraph/store/node/AppConfig.java

@@ -211,10 +211,10 @@ public class ArthasConfig {
         @Value("${arthas.httpPort:8565}")
         private String httpPort;
 
-        @Value("${arthas.ip:0.0.0.0}")
+        @Value("${arthas.ip:127.0.0.1}")
         private String arthasip;
 
-        @Value("${arthas.disabledCommands:jad}")
+        @Value("${arthas.disabledCommands:jad,ognl,vmtool}")
         private String disCmd;
     }
 

hugegraph-store/hg-store-node/src/main/java/org/apache/hugegraph/store/node/controller/PartitionAPI.java

@@ -22,6 +22,7 @@
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 
 import org.apache.hugegraph.pd.common.PDException;
 import org.apache.hugegraph.pd.grpc.Metapb;
@@ -44,6 +45,8 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
 
 import com.alipay.sofa.jraft.entity.PeerId;
 import com.alipay.sofa.jraft.util.Endpoint;
@@ -189,6 +192,16 @@ public Map<String, Object> cleanPartition(@PathVariable(value = "id") int id) th
     @GetMapping(value = "/arthasstart", produces = "application/json")
     public Map<String, Object> arthasstart(
             @RequestParam(required = false, defaultValue = "") String flags) {
+        String remoteAddr = ((ServletRequestAttributes) Objects.requireNonNull(
+                RequestContextHolder.getRequestAttributes())).getRequest().getRemoteAddr();
+
+        boolean isLocalRequest = "127.0.0.1".equals(remoteAddr) ||
+                                 "[0:0:0:0:0:0:0:1]".equals(remoteAddr);
+        if (!isLocalRequest){
+            List<String> ret = new ArrayList<>();
+            ret.add("Arthas start is ONLY allowed from localhost.");
+            return forbiddenMap("arthasstart", ret);
+        }
         HashMap<String, String> configMap = new HashMap<>();
         configMap.put("arthas.telnetPort", appConfig.getArthasConfig().getTelnetPort());
         configMap.put("arthas.httpPort", appConfig.getArthasConfig().getHttpPort());
@@ -225,6 +238,13 @@ public Map<String, Object> okMap(String k, Object v) {
         return map;
     }
 
+    public Map<String, Object> forbiddenMap(String k, Object v){
+        HashMap<String, Object> map = new HashMap<>();
+        map.put("status", 403);
+        map.put(k,v);
+        return map;
+    }
+
     @Data
     public class Raft {
 

hugegraph-store/hg-store-node/src/main/resources/application.yml

@@ -49,3 +49,10 @@ logging:
   config: classpath:log4j2-dev.xml
   level:
     root: info
+
+arthas:
+  telnetPort: 8566
+  httpPort: 8565
+  # Only allow starting arthas locally
+  ip: 127.0.0.1
+  disabledCommands: jad,ognl,vmtool