imbajin commented on code in PR #336:
URL:
https://github.com/apache/incubator-hugegraph-computer/pull/336#discussion_r2422717131
##########
vermeer/apps/master/bl/task_bl.go:
##########
@@ -62,6 +64,53 @@ func (tb *TaskBl) CreateTaskInfo(
return nil, err
}
+ // for scheduler
+ taskInfo.Priority = 0
+ taskInfo.Preorders = make([]int32, 0)
+ taskInfo.Exclusive = true // default to true for now, can be set false
by params
+ if params != nil {
+ if priority, ok := params["priority"]; ok {
+ if p, err := strconv.ParseInt(priority, 10, 32); err ==
nil {
+ if p < 0 {
+ return nil, fmt.Errorf("priority should
be non-negative")
+ }
+ taskInfo.Priority = int32(p)
+ } else {
+ logrus.Warnf("priority convert to int32
error:%v", err)
+ return nil, err
+ }
+ }
+ if preorders, ok := params["preorders"]; ok {
+ preorderList := strings.Split(preorders, ",")
+ for _, preorder := range preorderList {
+ if pid, err := strconv.ParseInt(preorder, 10,
32); err == nil {
+ if taskMgr.GetTaskByID(int32(pid)) ==
nil {
+ return nil,
fmt.Errorf("preorder task id %d not exists", pid)
+ }
+ taskInfo.Preorders =
append(taskInfo.Preorders, int32(pid))
+ } else {
+ logrus.Warnf("preorder convert to int32
error:%v", err)
+ return nil, err
+ }
+ }
+ }
+ if exclusive, ok := params["exclusive"]; ok {
+ if ex, err := strconv.ParseBool(exclusive); err == nil {
+ taskInfo.Exclusive = ex
+ } else {
+ logrus.Warnf("exclusive convert to bool
error:%v", err)
+ return nil, err
+ }
+ }
+ if cronExpr, ok := params["cron_expr"]; ok {
Review Comment:
**Security concern: Unrestricted cron expression execution**
The cron expression is taken directly from user parameters without
comprehensive validation or rate limiting. Malicious users could:
1. Schedule tasks to run every second, causing resource exhaustion
2. Use complex cron expressions to cause parsing overhead
**Suggested mitigations:**
```go
// Add validation
func (s *ScheduleBl) validateCronExpression(cronExpr string) error {
if err := s.cronManager.CheckCronExpression(cronExpr); err != nil {
return err
}
// Parse and check minimum interval
schedule, err := cron.ParseStandard(cronExpr)
if err != nil {
return err
}
// Ensure minimum 1-minute interval
now := time.Now()
next1 := schedule.Next(now)
next2 := schedule.Next(next1)
interval := next2.Sub(next1)
if interval < time.Minute {
return fmt.Errorf("cron interval too short: %v, minimum 1 minute
required", interval)
}
return nil
}
```
Also add per-user rate limiting for cron task creation.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
