ptlrs commented on code in PR #9603:
URL: https://github.com/apache/ozone/pull/9603#discussion_r2671126229
##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/PrometheusServlet.java:
##########
@@ -49,6 +49,7 @@ protected void doGet(HttpServletRequest req,
HttpServletResponse resp)
String authorizationHeader = req.getHeader("Authorization");
if (authorizationHeader == null
|| !authorizationHeader.startsWith(BEARER)
+ || authorizationHeader.length() <= BEARER.length()
|| !securityToken.equals(
authorizationHeader.substring(BEARER.length() + 1))) {
Review Comment:
We are having an off-by-one error.
Instead of adding this new check we should instead set the Bearer string
with the space and create a substring without the `+1`.
I wonder if we also need to trim the newly obtained substring.
```java
public static final String BEARER = "Bearer ";
if (authorizationHeader == null
|| !authorizationHeader.startsWith(BEARER)
|| !securityToken.equals(
authorizationHeader.substring(BEARER.length()))) {}
```
##########
hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/http/PrometheusServlet.java:
##########
Review Comment:
There will never be a valid token without a single trailing space after
Bearer.
The `BEARER` string should be set to `Bearer ` (with the trailing space)
instead of `Bearer`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
