Re: [PR] Upgrade pac4j extension (druid)

Wed, 27 Aug 2025 07:57:30 -0700 


ashibhardwaj commented on code in PR #18259:
URL: https://github.com/apache/druid/pull/18259#discussion_r2304231238


##########
extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java:
##########
@@ -85,38 +80,59 @@ public void doFilter(ServletRequest servletRequest, 
ServletResponse servletRespo
       return;
     }
 
-    HttpServletRequest httpServletRequest = (HttpServletRequest) 
servletRequest;
-    HttpServletResponse httpServletResponse = (HttpServletResponse) 
servletResponse;
-    JEEContext context = new JEEContext(httpServletRequest, 
httpServletResponse, sessionStore);
+    HttpServletRequest request = (HttpServletRequest) servletRequest;
+    HttpServletResponse response = (HttpServletResponse) servletResponse;
+    JEEContext context = new JEEContext(request, response);
+
+    if (request.getRequestURI().equals(callbackPath)) {

Review Comment:
   Good point about path traversal in general, but in this specific case I 
don't think it's a security concern. This is just determining whether to run 
OAuth callback logic vs. authentication logic for a fixed, well-known OAuth 
callback endpoint (/druid-ext/druid-pac4j/callback).
   If someone tries path traversal it would:
   - Fail the equals() check
   - Fall through to the authentication logic instead of callback logic
   - Not grant any unauthorized access
   
   The callback logic itself validates OAuth parameters and only processes 
legitimate callbacks from the identity provider. So path traversal attempts 
would just result in normal authentication flow rather than any security bypass.
   This was the equivalent check we had in pac4j v4 
(Pac4jCallbackResource.SELF_URL.equals(httpServletRequest.getRequestURI())), 
and simple string equality is sufficient for this OAuth callback use case.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to