imbajin commented on code in PR #2945:
URL:
https://github.com/apache/incubator-hugegraph/pull/2945#discussion_r2731181842
##########
hugegraph-store/hg-store-node/src/main/java/org/apache/hugegraph/store/node/controller/PartitionAPI.java:
##########
@@ -225,6 +238,13 @@ public Map<String, Object> okMap(String k, Object v) {
return map;
Review Comment:
‼️ **Critical: HTTP response status is not properly returned**
The method returns a Map with `status: 403` in the body, but Spring will
still return HTTP 200 status code since the method returns `Map<String,
Object>`.
The client/browser will see HTTP 200 OK with a JSON body containing status
403, which is semantically incorrect and may bypass security checks on the
client side.
**Suggestion:** Return proper HTTP status code using `ResponseEntity`:
```java
@GetMapping(value = "/arthasstart", produces = "application/json")
public ResponseEntity<Map<String, Object>> arthasstart(
@RequestParam(required = false, defaultValue = "") String flags) {
// ... check logic ...
if (!isLocalRequest) {
return ResponseEntity.status(HttpStatus.FORBIDDEN)
.body(forbiddenMap("arthasstart", List.of("Arthas start is ONLY
allowed from localhost.")));
}
// ... normal flow returns ResponseEntity.ok(okMap(...))
}
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
