liaoxin01 opened a new pull request, #64935: URL: https://github.com/apache/doris/pull/64935
## Summary - **SSRF fix**: `_stream_load_forward` BE endpoint was registered unconditionally without authentication, allowing unauthenticated SSRF attacks - Add BE config `enable_group_commit_streamload_be_forward` (default `false`) to gate endpoint registration, matching the existing FE config name - Add auth validation: fast-path internal token check from FE redirect URL, with `HttpHandlerWithAuth` Basic Auth fallback for rolling upgrade compatibility - FE passes internal auth token via `auth_token` query param in redirect URL; BE strips it before forwarding to target ## Test plan - [ ] Verify `_stream_load_forward` endpoint returns 404 when `enable_group_commit_streamload_be_forward=false` (default) - [ ] Verify endpoint works with auth when config is enabled on both FE and BE - [ ] Verify unauthenticated requests are rejected with 403/401 - [ ] Run regression test `test_group_commit_redirect` in docker cloud mode -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
