github-actions[bot] commented on code in PR #65212:
URL: https://github.com/apache/doris/pull/65212#discussion_r3521349380


##########
fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/LoadAction.java:
##########
@@ -854,6 +855,9 @@ private TNetworkAddress 
handleStreamLoadRedirect(HttpServletRequest request, boo
         if (!Config.isCloudMode() || !groupCommit || 
!Config.enable_group_commit_streamload_be_forward) {
             return selectRedirectBackend(request, groupCommit, tableId);
         }

Review Comment:
   This makes cloud group-commit stream load fail whenever HTTP TLS is active 
and BE-forward is enabled. The unsupported part is the `_stream_load_forward` 
BE-to-BE hop, which uses a plain libevent HTTP connection, but the code already 
has a non-forwarding path (`selectRedirectBackend(request, groupCommit, 
tableId)`) used whenever the optimization is disabled. Throwing here converts a 
valid load into `RestBaseResult("group commit stream load BE forward is not 
supported...")` instead of just skipping the optimization. Please fall back to 
the normal redirect path in this branch so TLS does not break group-commit 
loads.



##########
fe/fe-core/src/main/java/org/apache/doris/common/util/HttpURLUtil.java:
##########
@@ -48,6 +50,26 @@ public static HttpURLConnection 
getConnectionWithNodeIdent(String request) throw
         }
     }
 
+    public static HttpURLConnection getInternalConnectionWithNodeIdent(String 
request,
+            InternalHttpClientProvider.Target target) throws IOException {
+        HttpURLConnection conn = getInternalConnection(request, target);
+        setNodeIdentHeaders(conn);
+        return conn;
+    }
+
+    public static HttpURLConnection getInternalConnection(String request,
+            InternalHttpClientProvider.Target target) throws IOException {
+        InternalHttpClientProvider provider = 
InternalHttpClientProviderFactory.getProvider();
+        String normalizedRequest = provider.normalizeInternalUrl(request, 
target);
+        try {
+            SecurityChecker.getInstance().startSSRFChecking(normalizedRequest);

Review Comment:
   `getInternalConnection` now leaves the SSRF hook installed after every 
successful internal open. It starts checking and immediately returns the opened 
connection, but `stopSSRFChecking()` only runs from the catch block; the old 
`getConnectionWithNodeIdent` and the other `SecurityChecker` callers all clear 
the hook in `finally`. Since this helper is now used by successful paths like 
`SHOW CONFIG BACKEND`, `SHOW LOAD WARNINGS`, meta image fetches, and audit/load 
submissions, a real `UrlSecurityChecker` can remain active on the FE worker 
thread and affect unrelated later work. Please restore the same scoped 
lifecycle here and stop the checker on the success path as well.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to