github-code-scanning[bot] commented on code in PR #12549:
URL:
https://github.com/apache/dolphinscheduler/pull/12549#discussion_r1011658207
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/interceptor/LoginHandlerInterceptor.java:
##########
@@ -62,20 +72,41 @@
*/
@Override
public boolean preHandle(HttpServletRequest request, HttpServletResponse
response, Object handler) {
+ logger.info("[debug111] preHandle starts...");
// get token
+ logger.info("[debug111] request header: {}", request.getHeaderNames());
Review Comment:
## Log Injection
This log entry depends on a [user-provided value](1).
[Show more
details](https://github.com/apache/dolphinscheduler/security/code-scanning/2218)
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/SessionServiceImpl.java:
##########
@@ -62,18 +62,23 @@
public Session getSession(HttpServletRequest request) {
String sessionId = request.getHeader(Constants.SESSION_ID);
+ logger.info("[debug111] session id is {} ...", sessionId);
Review Comment:
## Log Injection
This log entry depends on a [user-provided value](1).
[Show more
details](https://github.com/apache/dolphinscheduler/security/code-scanning/2219)
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/SessionServiceImpl.java:
##########
@@ -62,18 +62,23 @@
public Session getSession(HttpServletRequest request) {
String sessionId = request.getHeader(Constants.SESSION_ID);
+ logger.info("[debug111] session id is {} ...", sessionId);
+
if (StringUtils.isBlank(sessionId)) {
Cookie cookie = WebUtils.getCookie(request, Constants.SESSION_ID);
-
if (cookie != null) {
+ logger.info("[debug111] cookie not null, trying getting
session id from cookie");
sessionId = cookie.getValue();
}
}
if (StringUtils.isBlank(sessionId)) {
+ logger.info("[debug111] session id is still null, return null");
return null;
}
+ logger.info("[debug111] session id is not null, {}", sessionId);
Review Comment:
## Log Injection
This log entry depends on a [user-provided value](1).
This log entry depends on a [user-provided value](2).
[Show more
details](https://github.com/apache/dolphinscheduler/security/code-scanning/2220)
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/SecurityConfig.java:
##########
@@ -67,13 +73,28 @@
case LDAP:
authenticator = new LdapAuthenticator();
break;
+ case OAUTH2:
+ logger.info("[debug111] initializing oauth2 authenticator");
+ authenticator = new GoogleOAuth2Authenticator();
+ break;
default:
throw new IllegalStateException("Unexpected value: " +
authenticationType);
}
beanFactory.autowireBean(authenticator);
return authenticator;
}
+ @Bean
+ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception
{
+ http.authorizeRequests()
+ .anyRequest().authenticated()
+ .and()
+ .oauth2Login()
+
.and().logout().logoutUrl("/signOut").logoutSuccessUrl("/").permitAll()
+ .and().csrf().disable();
Review Comment:
## Disabled Spring CSRF protection
CSRF vulnerability due to protection being disabled.
[Show more
details](https://github.com/apache/dolphinscheduler/security/code-scanning/2217)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
