[GitHub] [dolphinscheduler] github-code-scanning[bot] commented on a diff in pull request #14507: [Improvement][Task Plugin] Improve to access https without ssl certificate for HttpTask

[via GitHub]

github-code-scanning[bot] commented on code in PR #14507:
URL: 
https://github.com/apache/dolphinscheduler/pull/14507#discussion_r1265281861


##########
dolphinscheduler-task-plugin/dolphinscheduler-task-http/src/main/java/org/apache/dolphinscheduler/plugin/task/http/HttpTask.java:
##########
@@ -287,10 +294,32 @@
      *
      * @return CloseableHttpClient
      */
-    protected CloseableHttpClient createHttpClient() {
+    protected CloseableHttpClient createHttpClient() throws Exception {
         final RequestConfig requestConfig = requestConfig();
         HttpClientBuilder httpClientBuilder;
         httpClientBuilder = 
HttpClients.custom().setDefaultRequestConfig(requestConfig);
+        if (httpParameters.getEnableSSL()) {
+            TrustManager[] trustAllCerts = new TrustManager[]{new 
X509TrustManager() {
+
+                @Override
+                public X509Certificate[] getAcceptedIssuers() {
+                    return null;
+                }
+
+                @Override
+                public void checkClientTrusted(X509Certificate[] certs, String 
authType) {
+                }
+
+                @Override
+                public void checkServerTrusted(X509Certificate[] certs, String 
authType) {

Review Comment:
   ## Server certificates should be verified during SSL/TLS connections
   
   <!--SONAR_ISSUE_KEY:AYljyviQUCRHD6yWZ4vy-->Enable server certificate 
validation on this SSL/TLS connection. <p>See more on <a 
href="https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&issues=AYljyviQUCRHD6yWZ4vy&open=AYljyviQUCRHD6yWZ4vy&pullRequest=14507";>SonarCloud</a></p>
   
   [Show more 
details](https://github.com/apache/dolphinscheduler/security/code-scanning/3001)



##########
dolphinscheduler-task-plugin/dolphinscheduler-task-http/src/main/java/org/apache/dolphinscheduler/plugin/task/http/HttpTask.java:
##########
@@ -287,10 +294,32 @@
      *
      * @return CloseableHttpClient
      */
-    protected CloseableHttpClient createHttpClient() {
+    protected CloseableHttpClient createHttpClient() throws Exception {
         final RequestConfig requestConfig = requestConfig();
         HttpClientBuilder httpClientBuilder;
         httpClientBuilder = 
HttpClients.custom().setDefaultRequestConfig(requestConfig);
+        if (httpParameters.getEnableSSL()) {
+            TrustManager[] trustAllCerts = new TrustManager[]{new 
X509TrustManager() {
+
+                @Override
+                public X509Certificate[] getAcceptedIssuers() {
+                    return null;
+                }
+
+                @Override
+                public void checkClientTrusted(X509Certificate[] certs, String 
authType) {

Review Comment:
   ## Server certificates should be verified during SSL/TLS connections
   
   <!--SONAR_ISSUE_KEY:AYljyviQUCRHD6yWZ4vx-->Enable server certificate 
validation on this SSL/TLS connection. <p>See more on <a 
href="https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&issues=AYljyviQUCRHD6yWZ4vx&open=AYljyviQUCRHD6yWZ4vx&pullRequest=14507";>SonarCloud</a></p>
   
   [Show more 
details](https://github.com/apache/dolphinscheduler/security/code-scanning/3000)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org