github-advanced-security[bot] commented on code in PR #17119:
URL:
https://github.com/apache/dolphinscheduler/pull/17119#discussion_r2048339291
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/controller/LoginController.java:
##########
@@ -206,6 +216,24 @@
}).collect(Collectors.toList());
return Result.success(providers);
}
+ @SneakyThrows
+ @Operation(summary = "redirectToOidc", description =
"REDIRECT_TO_OIDC_LOGIN")
+ @GetMapping("redirect/login/oidc")
+ public void loginByOidc(@RequestParam String code, @RequestParam String
provider,
Review Comment:
## HTTP request type unprotected from CSRF
Potential CSRF vulnerability due to using an HTTP request type which is not
default-protected from CSRF for an apparent [state-changing action](1).
[Show more
details](https://github.com/apache/dolphinscheduler/security/code-scanning/5165)
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/controller/LoginController.java:
##########
@@ -206,6 +216,24 @@
}).collect(Collectors.toList());
return Result.success(providers);
}
+ @SneakyThrows
+ @Operation(summary = "redirectToOidc", description =
"REDIRECT_TO_OIDC_LOGIN")
+ @GetMapping("redirect/login/oidc")
+ public void loginByOidc(@RequestParam String code, @RequestParam String
provider,
+ HttpServletRequest request, HttpServletResponse
response) {
Review Comment:
## Useless parameter
The parameter 'request' is never used.
[Show more
details](https://github.com/apache/dolphinscheduler/security/code-scanning/5164)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
