github-advanced-security[bot] commented on code in PR #18259:
URL: https://github.com/apache/druid/pull/18259#discussion_r2208012432
##########
extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jSessionStore.java:
##########
@@ -97,36 +103,90 @@
Cookie cookie;
if (value == null) {
- cookie = new Cookie(PAC4J_SESSION_PREFIX + key, null);
+ cookie = new Cookie(PAC4J_SESSION_PREFIX + key, "");
+ cookie.setMaxAge(0);
} else {
- if (key.contentEquals(Pac4jConstants.USER_PROFILES)) {
+ if (Pac4jConstants.USER_PROFILES.equals(key)) {
/* trim the profile object */
profile = clearUserProfile(value);
}
LOGGER.debug("Save in session: [%s] = [%s]", key, profile);
- cookie = new Cookie(
- PAC4J_SESSION_PREFIX + key,
- compressEncryptBase64(profile)
- );
+
+ String encryptedValue = compressEncryptBase64(profile);
+ cookie = new Cookie(PAC4J_SESSION_PREFIX + key, encryptedValue);
+ cookie.setMaxAge(900); // 15 minutes
}
- cookie.setDomain("");
cookie.setHttpOnly(true);
- cookie.setSecure(ContextHelper.isHttpsOrSecure(context));
+ cookie.setSecure(isHttpsOrSecure(context));
cookie.setPath("/");
- cookie.setMaxAge(900);
- context.addResponseCookie(cookie);
+ if (context instanceof JEEContext) {
+ JEEContext jeeContext = (JEEContext) context;
+ HttpServletResponse response = jeeContext.getNativeResponse();
+ response.addCookie(cookie);
Review Comment:
## Failure to use secure cookies
Cookie is added to response without the 'secure' flag being set.
[Show more
details](https://github.com/apache/druid/security/code-scanning/9417)
##########
extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jSessionStore.java:
##########
@@ -141,9 +201,15 @@
private Serializable uncompressDecryptBase64(final String v)
{
if (v != null && !v.isEmpty()) {
- byte[] bytes = StringUtils.decodeBase64String(v);
- if (bytes != null) {
- return
javaSerializationHelper.deserializeFromBytes(unCompress(cryptoService.decrypt(bytes)));
+ try {
+ byte[] bytes = StringUtils.decodeBase64String(v);
+ if (bytes != null) {
+ return
deserializeFromBytes(uncompress(cryptoService.decrypt(bytes)));
+ }
+ }
+ catch (Exception e) {
+ LOGGER.debug("Failed to decrypt cookie value", e);
Review Comment:
## Unused format argument
This format call refers to 0 argument(s) but supplies 1 argument(s).
[Show more
details](https://github.com/apache/druid/security/code-scanning/9418)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
