gaborgsomogyi commented on PR #854: URL: https://github.com/apache/flink-web/pull/854#issuecomment-4622812248
Thanks @MartijnVisser, your version highlighted important gaps. Applied the following: - Added authenticating proxy guidance: REST API supports mutual TLS for client certificate auth; SQL Gateway has no built-in mechanism and needs a proxy in front - Added input data deserialization as an in-scope attack surface where no Flink-level control exists to prevent it - Tightened the RCE out-of-scope row to explicitly exclude SQL Gateway submissions, clarifying that SQL injection leading to code execution is in scope Unless there are further comments I'm intended to merge as discussed. I agree there are huge amount if things to do around here. One clear direction is to answer the `how`. Another one is CVE tracking in general. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
