imbajin commented on code in PR #2945:
URL:
https://github.com/apache/incubator-hugegraph/pull/2945#discussion_r2731184528
##########
hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java:
##########
@@ -439,15 +439,15 @@ public class ServerOptions extends OptionHolder {
"arthas.ip",
"arthas bound ip",
disallowEmpty(),
- "0.0.0.0"
+ "127.0.0.1"
);
public static final ConfigOption<String> ARTHAS_DISABLED_COMMANDS =
new ConfigOption<>(
"arthas.disabledCommands",
"arthas disabled commands",
disallowEmpty(),
- "jad"
+ "jad,ognl,vmtool"
Review Comment:
🧹 **Minor: Good security improvement**
Adding `vmtool` to disabled commands is a good security hardening measure,
as `vmtool` can be used to manipulate JVM internals and potentially execute
arbitrary code.
##########
hugegraph-store/hg-store-node/src/main/java/org/apache/hugegraph/store/node/controller/PartitionAPI.java:
##########
@@ -189,6 +192,16 @@ public Map<String, Object>
cleanPartition(@PathVariable(value = "id") int id) th
@GetMapping(value = "/arthasstart", produces = "application/json")
Review Comment:
🧹 **Minor: PR description needs completion**
The PR description has placeholder text `close #xxx`. Please update with the
actual issue number or remove if this is a standalone improvement.
Also, the "Verifying these changes" section should be checked - this
security change would benefit from test coverage or manual verification steps.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
