sonatype-lift[bot] commented on code in PR #975: URL: https://github.com/apache/solr/pull/975#discussion_r948314317
########## solr/core/src/java/org/apache/solr/handler/api/SomeCoreResource.java: ########## @@ -0,0 +1,44 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.solr.handler.api; + +import org.apache.solr.api.JerseyResource; +import org.apache.solr.jersey.PermissionName; +import org.apache.solr.security.PermissionNameProvider; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.ws.rs.GET; +import javax.ws.rs.Path; +import javax.ws.rs.PathParam; +import javax.ws.rs.Produces; +import javax.ws.rs.core.MediaType; +import java.lang.invoke.MethodHandles; + +@Path("/collections/{collectionName}/somecorepath") +public class SomeCoreResource extends JerseyResource { + private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); + + @GET + @Produces(MediaType.TEXT_PLAIN) + @PermissionName(PermissionNameProvider.Name.READ_PERM) + public String helloPlainText(@PathParam("collectionName") String collectionName) { + log.info("Made it into SomeCoreResource.helloPlainText with collName {}", collectionName); Review Comment: *[CRLF_INJECTION_LOGS](https://find-sec-bugs.github.io/bugs.htm#CRLF_INJECTION_LOGS):* This use of org/slf4j/Logger.info(Ljava/lang/String;Ljava/lang/Object;)V might be used to include CRLF characters into log messages --- Reply with *"**@sonatype-lift help**"* for info about LiftBot commands. Reply with *"**@sonatype-lift ignore**"* to tell LiftBot to leave out the above finding from this PR. Reply with *"**@sonatype-lift ignoreall**"* to tell LiftBot to leave out all the findings from this PR and from the status bar in Github. When talking to LiftBot, you need to **refresh** the page to see its response. [Click here](https://help.sonatype.com/lift/talking-to-lift) to get to know more about LiftBot commands. --- Was this a good recommendation? [ [🙁 Not relevant](https://www.sonatype.com/lift-comment-rating?comment=317026945&lift_comment_rating=1) ] - [ [😕 Won't fix](https://www.sonatype.com/lift-comment-rating?comment=317026945&lift_comment_rating=2) ] - [ [😑 Not critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=317026945&lift_comment_rating=3) ] - [ [🙂 Critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=317026945&lift_comment_rating=4) ] - [ [😊 Critical, fixing now](https://www.sonatype.com/lift-comment-rating?comment=317026945&lift_comment_rating=5) ] ########## solr/core/src/java/org/apache/solr/security/AuthorizationUtils.java: ########## @@ -0,0 +1,126 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.solr.security; + +import org.apache.http.HttpStatus; +import org.apache.solr.common.params.SolrParams; +import org.apache.solr.core.CoreContainer; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.lang.invoke.MethodHandles; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; + +import static org.apache.solr.common.cloud.ZkStateReader.COLLECTION_PROP; +import static org.apache.solr.common.params.CollectionParams.CollectionAction.CREATE; +import static org.apache.solr.common.params.CollectionParams.CollectionAction.DELETE; +import static org.apache.solr.common.params.CollectionParams.CollectionAction.RELOAD; +import static org.apache.solr.servlet.HttpSolrCall.shouldAudit; + +public class AuthorizationUtils { + private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); + + private AuthorizationUtils() { /* Private ctor prevents instantiation */} + + public static class AuthorizationFailure { + private final int statusCode; + private final String message; + public AuthorizationFailure(int statusCode, String message) { + this.statusCode = statusCode; + this.message = message; + } + + public int getStatusCode() { return statusCode; } + public String getMessage() { return message; } + } + + public static AuthorizationFailure authorize(HttpServletRequest servletReq, HttpServletResponse response, + CoreContainer cores, AuthorizationContext context) throws IOException { + log.debug("AuthorizationContext : {}", context); + AuthorizationResponse authResponse = cores.getAuthorizationPlugin().authorize(context); + int statusCode = authResponse.statusCode; + + if (statusCode == AuthorizationResponse.PROMPT.statusCode) { + @SuppressWarnings({"unchecked"}) + Map<String, String> headers = + (Map<String, String>) servletReq.getAttribute(AuthenticationPlugin.class.getName()); + if (headers != null) { + for (Map.Entry<String, String> e : headers.entrySet()) + response.setHeader(e.getKey(), e.getValue()); + } + if (log.isDebugEnabled()) { + log.debug("USER_REQUIRED {} {}", servletReq.getHeader("Authorization"), servletReq.getUserPrincipal()); + } + if (shouldAudit(cores, AuditEvent.EventType.REJECTED)) { + cores.getAuditLoggerPlugin().doAudit(new AuditEvent(AuditEvent.EventType.REJECTED, servletReq, context)); + } + return new AuthorizationFailure(statusCode, "Authentication failed, Response code: " + statusCode); + } + if (statusCode == AuthorizationResponse.FORBIDDEN.statusCode) { + if (log.isDebugEnabled()) { + log.debug( Review Comment: *[CRLF_INJECTION_LOGS](https://find-sec-bugs.github.io/bugs.htm#CRLF_INJECTION_LOGS):* This use of org/slf4j/Logger.debug(Ljava/lang/String;[Ljava/lang/Object;)V might be used to include CRLF characters into log messages --- Reply with *"**@sonatype-lift help**"* for info about LiftBot commands. Reply with *"**@sonatype-lift ignore**"* to tell LiftBot to leave out the above finding from this PR. Reply with *"**@sonatype-lift ignoreall**"* to tell LiftBot to leave out all the findings from this PR and from the status bar in Github. When talking to LiftBot, you need to **refresh** the page to see its response. [Click here](https://help.sonatype.com/lift/talking-to-lift) to get to know more about LiftBot commands. --- Was this a good recommendation? [ [🙁 Not relevant](https://www.sonatype.com/lift-comment-rating?comment=317027078&lift_comment_rating=1) ] - [ [😕 Won't fix](https://www.sonatype.com/lift-comment-rating?comment=317027078&lift_comment_rating=2) ] - [ [😑 Not critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=317027078&lift_comment_rating=3) ] - [ [🙂 Critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=317027078&lift_comment_rating=4) ] - [ [😊 Critical, fixing now](https://www.sonatype.com/lift-comment-rating?comment=317027078&lift_comment_rating=5) ] ########## solr/core/src/java/org/apache/solr/security/AuthorizationUtils.java: ########## @@ -0,0 +1,126 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.solr.security; + +import org.apache.http.HttpStatus; +import org.apache.solr.common.params.SolrParams; +import org.apache.solr.core.CoreContainer; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.lang.invoke.MethodHandles; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; + +import static org.apache.solr.common.cloud.ZkStateReader.COLLECTION_PROP; +import static org.apache.solr.common.params.CollectionParams.CollectionAction.CREATE; +import static org.apache.solr.common.params.CollectionParams.CollectionAction.DELETE; +import static org.apache.solr.common.params.CollectionParams.CollectionAction.RELOAD; +import static org.apache.solr.servlet.HttpSolrCall.shouldAudit; + +public class AuthorizationUtils { + private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); + + private AuthorizationUtils() { /* Private ctor prevents instantiation */} + + public static class AuthorizationFailure { + private final int statusCode; + private final String message; + public AuthorizationFailure(int statusCode, String message) { + this.statusCode = statusCode; + this.message = message; + } + + public int getStatusCode() { return statusCode; } + public String getMessage() { return message; } + } + + public static AuthorizationFailure authorize(HttpServletRequest servletReq, HttpServletResponse response, + CoreContainer cores, AuthorizationContext context) throws IOException { + log.debug("AuthorizationContext : {}", context); + AuthorizationResponse authResponse = cores.getAuthorizationPlugin().authorize(context); + int statusCode = authResponse.statusCode; + + if (statusCode == AuthorizationResponse.PROMPT.statusCode) { + @SuppressWarnings({"unchecked"}) + Map<String, String> headers = + (Map<String, String>) servletReq.getAttribute(AuthenticationPlugin.class.getName()); + if (headers != null) { + for (Map.Entry<String, String> e : headers.entrySet()) + response.setHeader(e.getKey(), e.getValue()); Review Comment: *CROSS_SITE_SCRIPTING:* UserControlledString(HttpServletRequest.getAttribute(...)) at line 66 ~> HTML(HttpServletResponse.setHeader(...)) at line 69. --- Reply with *"**@sonatype-lift help**"* for info about LiftBot commands. Reply with *"**@sonatype-lift ignore**"* to tell LiftBot to leave out the above finding from this PR. Reply with *"**@sonatype-lift ignoreall**"* to tell LiftBot to leave out all the findings from this PR and from the status bar in Github. When talking to LiftBot, you need to **refresh** the page to see its response. [Click here](https://help.sonatype.com/lift/talking-to-lift) to get to know more about LiftBot commands. --- Was this a good recommendation? [ [🙁 Not relevant](https://www.sonatype.com/lift-comment-rating?comment=317027804&lift_comment_rating=1) ] - [ [😕 Won't fix](https://www.sonatype.com/lift-comment-rating?comment=317027804&lift_comment_rating=2) ] - [ [😑 Not critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=317027804&lift_comment_rating=3) ] - [ [🙂 Critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=317027804&lift_comment_rating=4) ] - [ [😊 Critical, fixing now](https://www.sonatype.com/lift-comment-rating?comment=317027804&lift_comment_rating=5) ] ########## solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java: ########## @@ -75,6 +77,18 @@ public static boolean isAutoGeneratedConfigSet(String configName) { return configName != null && configName.endsWith(AUTOCREATED_CONFIGSET_SUFFIX); } + private void squashIntoSolrResponse(SolrQueryResponse rsp, ReflectMapWriter mw) { + Map<String, Object> myMap = new HashMap<>(); + myMap = mw.toMap(myMap); + if (myMap.isEmpty()) { + log.info("Hmm, map is empty after writing in values from {}", mw); + } + for (String key : myMap.keySet()) { + log.info("Adding key={}, value={} to rsp", key, myMap.get(key)); + rsp.add(key, myMap.get(key)); Review Comment: *INEFFICIENT_KEYSET_ITERATOR:* Accessing a value using a key that was retrieved from a `keySet` iterator. It is more efficient to use an iterator on the `entrySet` of the map, avoiding the extra `HashMap.get(key)` lookup. --- Reply with *"**@sonatype-lift help**"* for info about LiftBot commands. Reply with *"**@sonatype-lift ignore**"* to tell LiftBot to leave out the above finding from this PR. Reply with *"**@sonatype-lift ignoreall**"* to tell LiftBot to leave out all the findings from this PR and from the status bar in Github. When talking to LiftBot, you need to **refresh** the page to see its response. [Click here](https://help.sonatype.com/lift/talking-to-lift) to get to know more about LiftBot commands. --- Was this a good recommendation? [ [🙁 Not relevant](https://www.sonatype.com/lift-comment-rating?comment=317027791&lift_comment_rating=1) ] - [ [😕 Won't fix](https://www.sonatype.com/lift-comment-rating?comment=317027791&lift_comment_rating=2) ] - [ [😑 Not critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=317027791&lift_comment_rating=3) ] - [ [🙂 Critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=317027791&lift_comment_rating=4) ] - [ [😊 Critical, fixing now](https://www.sonatype.com/lift-comment-rating?comment=317027791&lift_comment_rating=5) ] ########## solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java: ########## @@ -75,6 +77,18 @@ public static boolean isAutoGeneratedConfigSet(String configName) { return configName != null && configName.endsWith(AUTOCREATED_CONFIGSET_SUFFIX); } + private void squashIntoSolrResponse(SolrQueryResponse rsp, ReflectMapWriter mw) { + Map<String, Object> myMap = new HashMap<>(); + myMap = mw.toMap(myMap); + if (myMap.isEmpty()) { + log.info("Hmm, map is empty after writing in values from {}", mw); + } + for (String key : myMap.keySet()) { + log.info("Adding key={}, value={} to rsp", key, myMap.get(key)); Review Comment: *INEFFICIENT_KEYSET_ITERATOR:* Accessing a value using a key that was retrieved from a `keySet` iterator. It is more efficient to use an iterator on the `entrySet` of the map, avoiding the extra `HashMap.get(key)` lookup. --- Reply with *"**@sonatype-lift help**"* for info about LiftBot commands. Reply with *"**@sonatype-lift ignore**"* to tell LiftBot to leave out the above finding from this PR. Reply with *"**@sonatype-lift ignoreall**"* to tell LiftBot to leave out all the findings from this PR and from the status bar in Github. When talking to LiftBot, you need to **refresh** the page to see its response. [Click here](https://help.sonatype.com/lift/talking-to-lift) to get to know more about LiftBot commands. --- Was this a good recommendation? [ [🙁 Not relevant](https://www.sonatype.com/lift-comment-rating?comment=317028064&lift_comment_rating=1) ] - [ [😕 Won't fix](https://www.sonatype.com/lift-comment-rating?comment=317028064&lift_comment_rating=2) ] - [ [😑 Not critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=317028064&lift_comment_rating=3) ] - [ [🙂 Critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=317028064&lift_comment_rating=4) ] - [ [😊 Critical, fixing now](https://www.sonatype.com/lift-comment-rating?comment=317028064&lift_comment_rating=5) ] ########## solr/core/src/java/org/apache/solr/jersey/SolrRequestAuthorizer.java: ########## @@ -0,0 +1,126 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.solr.jersey; + +import org.apache.solr.common.params.SolrParams; +import org.apache.solr.core.CoreContainer; +import org.apache.solr.core.SolrCore; +import org.apache.solr.security.AuthorizationContext; +import org.apache.solr.security.AuthorizationUtils; +import org.apache.solr.security.HttpServletAuthorizationContext; +import org.apache.solr.security.PermissionNameProvider; +import org.apache.solr.servlet.ServletUtils; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import javax.ws.rs.container.ContainerRequestContext; +import javax.ws.rs.container.ContainerRequestFilter; +import javax.ws.rs.container.ResourceInfo; +import javax.ws.rs.core.Context; +import javax.ws.rs.core.Response; +import javax.ws.rs.ext.Provider; +import java.io.IOException; +import java.lang.invoke.MethodHandles; +import java.util.List; + +@Provider +public class SolrRequestAuthorizer implements ContainerRequestFilter { + + public static final String CORE_CONTAINER_PROP_NAME = CoreContainer.class.getName(); + public static final String HTTP_SERVLET_REQ_PROP_NAME = HttpServletRequest.class.getName(); + public static final String HTTP_SERVLET_RSP_PROP_NAME = HttpServletResponse.class.getName(); + public static final String SOLR_CORE_PROP_NAME = SolrCore.class.getName(); + public static final String REQUEST_TYPE_PROP_NAME = AuthorizationContext.RequestType.class.getName(); + public static final String SOLR_PARAMS_PROP_NAME = SolrParams.class.getName(); + public static final String COLLECTION_LIST_PROP_NAME = "collection_name_list"; + + private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); + + @Context + private ResourceInfo resourceInfo; + + public SolrRequestAuthorizer() { + log.info("Creating a new SolrRequestAuthorizer"); + } + + @SuppressWarnings("unchecked") + @Override + public void filter(ContainerRequestContext requestContext) throws IOException { + final CoreContainer coreContainer = (CoreContainer) requestContext.getProperty(CORE_CONTAINER_PROP_NAME); + final SolrCore solrCore = (SolrCore) requestContext.getProperty(SOLR_CORE_PROP_NAME); // May be null Review Comment: 💬 5 similar findings have been found in this PR --- *[UnusedVariable](https://errorprone.info/bugpattern/UnusedVariable):* The local variable 'solrCore' is never read. --- <details><summary><b>Expand here to view all instances of this finding</b></summary><br/> <div align="center"> | **File Path** | **Line Number** | | ------------- | ------------- | | solr/core/src/java/org/apache/solr/handler/ReplicationHandler.java | [148](https://github.com/gerlowskija/solr/blob/051d2d568d2bd25660d21f19c4b4a88295f598a9/solr/core/src/java/org/apache/solr/handler/ReplicationHandler.java#L148)| | solr/core/src/java/org/apache/solr/handler/ReplicationHandler.java | [615](https://github.com/gerlowskija/solr/blob/051d2d568d2bd25660d21f19c4b4a88295f598a9/solr/core/src/java/org/apache/solr/handler/ReplicationHandler.java#L615)| | solr/core/src/java/org/apache/solr/handler/ReplicationHandler.java | [506](https://github.com/gerlowskija/solr/blob/051d2d568d2bd25660d21f19c4b4a88295f598a9/solr/core/src/java/org/apache/solr/handler/ReplicationHandler.java#L506)| | solr/core/src/java/org/apache/solr/jersey/SolrRequestAuthorizer.java | [96](https://github.com/gerlowskija/solr/blob/051d2d568d2bd25660d21f19c4b4a88295f598a9/solr/core/src/java/org/apache/solr/jersey/SolrRequestAuthorizer.java#L96)| | solr/core/src/java/org/apache/solr/core/ConfigOverlay.java | [182](https://github.com/gerlowskija/solr/blob/051d2d568d2bd25660d21f19c4b4a88295f598a9/solr/core/src/java/org/apache/solr/core/ConfigOverlay.java#L182)| <p><a href="https://lift.sonatype.com/results/github.com/apache/solr/01GAPF3M32GGTWD6W3BR98PRRD?t=ErrorProne|UnusedVariable" target="_blank">Visit the Lift Web Console</a> to find more details in your report.</p></div></details> --- Reply with *"**@sonatype-lift help**"* for info about LiftBot commands. Reply with *"**@sonatype-lift ignore**"* to tell LiftBot to leave out the above finding from this PR. Reply with *"**@sonatype-lift ignoreall**"* to tell LiftBot to leave out all the findings from this PR and from the status bar in Github. When talking to LiftBot, you need to **refresh** the page to see its response. [Click here](https://help.sonatype.com/lift/talking-to-lift) to get to know more about LiftBot commands. --- Was this a good recommendation? [ [🙁 Not relevant](https://www.sonatype.com/lift-comment-rating?comment=317026749&lift_comment_rating=1) ] - [ [😕 Won't fix](https://www.sonatype.com/lift-comment-rating?comment=317026749&lift_comment_rating=2) ] - [ [😑 Not critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=317026749&lift_comment_rating=3) ] - [ [🙂 Critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=317026749&lift_comment_rating=4) ] - [ [😊 Critical, fixing now](https://www.sonatype.com/lift-comment-rating?comment=317026749&lift_comment_rating=5) ] -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
