milleruntime commented on a change in pull request #2075:
URL: https://github.com/apache/accumulo/pull/2075#discussion_r628265358
##########
File path:
core/src/main/java/org/apache/accumulo/core/clientImpl/ClientInfoImpl.java
##########
@@ -115,6 +120,18 @@ public static Properties toProperties(Path propertiesFile)
{
return properties;
}
+ @SuppressFBWarnings(value = "URLCONNECTION_SSRF_FD",
+ justification = "code runs in same security context as user who provided
propertiesURL")
+ public static Properties toProperties(URL propertiesURL) {
+ Properties properties = new Properties();
+ try (InputStream is = propertiesURL.openStream()) {
Review comment:
> Or, are you thinking that parsing the URL itself in order to locate
the stream to read from could itself cause code to be executed?
Yes. But a URL _could_ be a lot of things and there is nothing preventing
the user from opening a stream to "http://www.badguys.com/maliciousFile.exe";
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
