snazy opened a new issue, #528:
URL: https://github.com/apache/polaris/issues/528
### Is this a possible security vulnerability?
- [X] This is NOT a possible security vulnerability
### Describe the bug
Implementations of operations that _create new_ entities, for example in
`PolarisAdminService`, must always generate a _new_ technical ID and not use an
_externally_ provided one.
Many places in the code base so something like this:
```java
public PolarisEntity createCatalog(PolarisEntity entity) {
---
long id =
entity.getId() <= 0
?
metaStoreManager.generateNewEntityId(getCurrentPolarisContext()).getId()
: entity.getId();
...
PolarisEntity polarisEntity =
new PolarisEntity.Builder(entity)
.setId(id)
.setCreateTimestamp(System.currentTimeMillis())
.build();
...
```
The above pattern is error prone and can easily lead to issues like ID
collisions later on.
Such implementation must really ensure that
1. the passed in ID is either not present or a not-present value (0)
2. the ID of the new entity must always be generated
### To Reproduce
_No response_
### Actual Behavior
_No response_
### Expected Behavior
_No response_
### Additional context
_No response_
### System information
_No response_
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
