github-advanced-security[bot] commented on code in PR #18229:
URL: 
https://github.com/apache/dolphinscheduler/pull/18229#discussion_r3206677809


##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/controller/TaskDefinitionController.java:
##########
@@ -141,12 +142,12 @@
     @ResponseStatus(HttpStatus.OK)
     @ApiException(SWITCH_TASK_DEFINITION_VERSION_ERROR)
     @OperatorLog(auditType = AuditType.TASK_SWITCH_VERSION)
-    public Result switchTaskDefinitionVersion(@Parameter(hidden = true) 
@RequestAttribute(value = Constants.SESSION_USER) User loginUser,
-                                              @Parameter(name = "projectCode", 
description = "PROJECT_CODE", required = true) @PathVariable long projectCode,
-                                              @PathVariable(value = "code") 
long code,
-                                              @PathVariable(value = "version") 
int version) {
-        Map<String, Object> result = 
taskDefinitionService.switchVersion(loginUser, projectCode, code, version);
-        return returnDataList(result);
+    public Result<Void> switchTaskDefinitionVersion(@Parameter(hidden = true) 
@RequestAttribute(value = Constants.SESSION_USER) User loginUser,

Review Comment:
   ## CodeQL / HTTP request type unprotected from CSRF
   
   Potential CSRF vulnerability due to using an HTTP request type which is not 
default-protected from CSRF for an apparent [state-changing action](1).
   Potential CSRF vulnerability due to using an HTTP request type which is not 
default-protected from CSRF for an apparent [state-changing action](2).
   Potential CSRF vulnerability due to using an HTTP request type which is not 
default-protected from CSRF for an apparent [state-changing action](3).
   
   [Show more 
details](https://github.com/apache/dolphinscheduler/security/code-scanning/5771)



##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/controller/TaskDefinitionController.java:
##########
@@ -212,10 +213,10 @@
     @GetMapping(value = "/gen-task-codes")
     @ResponseStatus(HttpStatus.OK)
     @ApiException(LOGIN_USER_QUERY_PROJECT_LIST_PAGING_ERROR)
-    public Result genTaskCodeList(@Parameter(hidden = true) 
@RequestAttribute(value = Constants.SESSION_USER) User loginUser,
-                                  @RequestParam("genNum") Integer genNum) {
-        Map<String, Object> result = 
taskDefinitionService.genTaskCodeList(genNum);
-        return returnDataList(result);
+    public Result<List<Long>> genTaskCodeList(@Parameter(hidden = true) 
@RequestAttribute(value = Constants.SESSION_USER) User loginUser,

Review Comment:
   ## CodeQL / Useless parameter
   
   The parameter 'loginUser' is never used.
   
   [Show more 
details](https://github.com/apache/dolphinscheduler/security/code-scanning/5773)



##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/TaskDefinitionServiceImpl.java:
##########
@@ -130,23 +130,33 @@
      * @param taskName    task name
      */
     @Override
-    public Map<String, Object> queryTaskDefinitionByName(User loginUser, long 
projectCode, long workflowDefinitionCode,
-                                                         String taskName) {
+    public TaskDefinition queryTaskDefinitionByName(User loginUser, long 
projectCode, long workflowDefinitionCode,
+                                                    String taskName) {
         Project project = projectMapper.queryByCode(projectCode);
         // check user access for project
         projectService.checkProjectAndAuthThrowException(loginUser, project, 
TASK_DEFINITION);
 
-        Map<String, Object> result = new HashMap<>();
         TaskDefinition taskDefinition =
                 taskDefinitionMapper.queryByName(project.getCode(), 
workflowDefinitionCode, taskName);
         if (taskDefinition == null) {
             log.error("Task definition does not exist, taskName:{}.", 
taskName);
-            putMsg(result, Status.TASK_DEFINE_NOT_EXIST, taskName);
-        } else {
-            result.put(Constants.DATA_LIST, taskDefinition);
-            putMsg(result, Status.SUCCESS);
+            throw new ServiceException(Status.TASK_DEFINE_NOT_EXIST, taskName);
+        }
+        return taskDefinition;
+    }
+
+    /**
+     * Resolve project + write permission; throws ServiceException with the
+     * status that {@link ProjectService#hasProjectAndWritePerm(User, Project, 
Map)}
+     * would otherwise have written into the legacy result map.
+     */
+    private void requireProjectAndWritePerm(User loginUser, Project project) {
+        Map<String, Object> permCheck = new HashMap<>();
+        if (!projectService.hasProjectAndWritePerm(loginUser, project, 
permCheck)) {

Review Comment:
   ## CodeQL / Deprecated method or constructor invocation
   
   Invoking [ProjectService.hasProjectAndWritePerm](1) should be avoided 
because it has been deprecated.
   
   [Show more 
details](https://github.com/apache/dolphinscheduler/security/code-scanning/5772)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to