This is an automated email from the ASF dual-hosted git repository.
morrysnow pushed a commit to branch branch-3.1
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/branch-3.1 by this push:
new 6125a4ed233 branch-3.1: [chore](security) Add ssrf check for create
stage #58585 (#58874)
6125a4ed233 is described below
commit 6125a4ed233757e9cd8e31605db0b064ad23f9ce
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Wed Dec 10 12:13:31 2025 +0800
branch-3.1: [chore](security) Add ssrf check for create stage #58585
(#58874)
Cherry-picked from #58585
Co-authored-by: Gavin Chou <[email protected]>
---
.../src/main/java/org/apache/doris/analysis/CreateStageStmt.java | 3 +++
1 file changed, 3 insertions(+)
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateStageStmt.java
b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateStageStmt.java
index c59e7f7592b..64c5f9e8bd9 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateStageStmt.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/analysis/CreateStageStmt.java
@@ -25,6 +25,7 @@ import org.apache.doris.cloud.proto.Cloud.RamUserPB;
import org.apache.doris.cloud.proto.Cloud.StagePB;
import org.apache.doris.cloud.proto.Cloud.StagePB.StageAccessType;
import org.apache.doris.cloud.proto.Cloud.StagePB.StageType;
+import org.apache.doris.cloud.security.SecurityChecker;
import org.apache.doris.cloud.storage.RemoteBase;
import org.apache.doris.cloud.storage.RemoteBase.ObjectInfo;
import org.apache.doris.common.AnalysisException;
@@ -135,6 +136,7 @@ public class CreateStageStmt extends DdlStmt implements
NotFallbackInParser {
String urlStr = "http://"; + endpoint;
// TODO: Server-Side Request Forgery Check is still need?
URL url = new URL(urlStr);
+ SecurityChecker.getInstance().startSSRFChecking(urlStr);
connection = (HttpURLConnection) url.openConnection();
connection.setConnectTimeout(10000);
connection.connect();
@@ -151,6 +153,7 @@ public class CreateStageStmt extends DdlStmt implements
NotFallbackInParser {
LOG.warn("Failed to disconnect connection, endpoint={}",
endpoint, e);
}
}
+ SecurityChecker.getInstance().stopSSRFChecking();
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
