github-advanced-security[bot] commented on code in PR #6190:
URL: https://github.com/apache/hive/pull/6190#discussion_r2528578720
##########
common/src/java/org/apache/hive/http/ProfileOutputServlet.java:
##########
@@ -33,19 +37,43 @@
private static final long serialVersionUID = 1L;
private static final Logger LOG =
LoggerFactory.getLogger(ProfileOutputServlet.class);
+ public static final String FILE_QUERY_PARAM = "file";
+
@Override
protected void doGet(final HttpServletRequest req, final HttpServletResponse
resp)
throws ServletException, IOException {
- String absoluteDiskPath =
getServletContext().getRealPath(req.getPathInfo());
- File requestedFile = new File(absoluteDiskPath);
+ String queriedFile = req.getParameter(FILE_QUERY_PARAM);
+
+ if (queriedFile == null) {
+ writeMessage(resp, "Run the profiler to be able to receive its output");
Review Comment:
## Exceptions should not be thrown from servlet methods
<!--SONAR_ISSUE_KEY:AZqDte8YXaE8vkeiNAql-->Handle the following exception
that could be thrown by "writeMessage": IOException. <p>See more on <a
href="https://sonarcloud.io/project/issues?id=apache_hive&issues=AZqDte8YXaE8vkeiNAql&open=AZqDte8YXaE8vkeiNAql&pullRequest=6190";>SonarQube
Cloud</a></p>
[Show more
details](https://github.com/apache/hive/security/code-scanning/431)
##########
common/src/java/org/apache/hive/http/ProfileOutputServlet.java:
##########
@@ -33,19 +37,43 @@
private static final long serialVersionUID = 1L;
private static final Logger LOG =
LoggerFactory.getLogger(ProfileOutputServlet.class);
+ public static final String FILE_QUERY_PARAM = "file";
+
@Override
protected void doGet(final HttpServletRequest req, final HttpServletResponse
resp)
throws ServletException, IOException {
- String absoluteDiskPath =
getServletContext().getRealPath(req.getPathInfo());
- File requestedFile = new File(absoluteDiskPath);
+ String queriedFile = req.getParameter(FILE_QUERY_PARAM);
+
+ if (queriedFile == null) {
+ writeMessage(resp, "Run the profiler to be able to receive its output");
+ return;
+ }
+ Path outputDir =
Paths.get(ProfileServlet.OUTPUT_DIR).toAbsolutePath().normalize();
+ Path requestedPath = outputDir.resolve(queriedFile).normalize();
+
+ if (!requestedPath.startsWith(outputDir)) {
+ resp.setStatus(HttpServletResponse.SC_FORBIDDEN);
+ writeMessage(resp, "Access denied: Invalid Path");
Review Comment:
## Exceptions should not be thrown from servlet methods
<!--SONAR_ISSUE_KEY:AZqDte8ZXaE8vkeiNAqm-->Handle the following exception
that could be thrown by "writeMessage": IOException. <p>See more on <a
href="https://sonarcloud.io/project/issues?id=apache_hive&issues=AZqDte8ZXaE8vkeiNAqm&open=AZqDte8ZXaE8vkeiNAqm&pullRequest=6190";>SonarQube
Cloud</a></p>
[Show more
details](https://github.com/apache/hive/security/code-scanning/432)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
