rickchengx commented on PR #12917: URL: https://github.com/apache/dolphinscheduler/pull/12917#issuecomment-1318130833
> I dont't think it's a bug. It need to be disscussed. cc @ruanwenjun @caishunfeng @EricGao888 @zhongjiajie Hi, @SbloodyS , thanks for your comment. Here is an example to illustrate why I think this is a bug: * `User 1` has a project `project-1`, and an `task-instance-1` (suppose `taskInstanceId`=1) * `User 2` has no permission on `project-1` , and he cannot see the `project-1` and the `task-instance-1` on the UI. But he can easily query the log of `task-instance-1` by sending a GET http `/dolphinscheduler/log/detail?taskInstanceId=1&skipLineNum=0&limit=1000`. He only needs to set an `taskInstanceId`, and this id is not randomly generated. In more serious cases, the logs may contain sensitive information * E.g., the log of `Sqoop` task will output the mysql password (BTW, this problem will be fixed in #11589 ) Then `User 2` will get the sensitive information to which **he does not have permission**. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
