You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dolphinscheduler.apache.org by GitBox <gi...@apache.org> on 2022/12/12 16:18:45 UTC
[GitHub] [dolphinscheduler] hdygxsj opened a new pull request, #13164: [Improvement][Security]Add CSRF protection(issue-12931)
hdygxsj opened a new pull request, #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164
<!--Thanks very much for contributing to Apache DolphinScheduler. Please review https://dolphinscheduler.apache.org/en-us/community/development/pull-request.html before opening a pull request.-->
## Purpose of the pull request
close issue #12931
Currently, the dolphinscheduler can be attacked by a CSRF in the following ways.
1. First, someone exits the Dolphinscheduler site but does not clear the cookie
2. The dolphinscheduler api can then be accessed via cookies by other sites or others to submit forms or obtain information without authorization. For example:
or
```html
<form action="http://127.0.0.1:5173/dolphinscheduler/users/get-user-info" method="get">
<input type="submit" value="提交" />
</form>
```
after this pr, when an attacker performs a CSRF attack, he will get a 403 exception.
## Brief change log
I thought it would take a lot of work to introduce Spring security dependencies, so I added a CsrfTokenInterceptor to implement csrf defense.
The CsrfTokenInterceptor does not intercept requests with the token in the http request header to ensure that the api is accessible through the token.
The CsrfTokenInterceptor will get the X-CSRF-TOKEN from the http request header or the _csrf from the request paramter and verify their accuracy.
And changed the ui module to add the request header X-CSRF-TOKEN when making an http request
In the above way, dolphinscheduler can be protected from CSRF attacks only by ensuring that the attacker cannot obtain a correct csrf token
## Verify this pull request
<!--*(Please pick either of the following options)*-->
This pull request is code cleanup without any test coverage.
*(or)*
This pull request is already covered by existing tests, such as *(please describe tests)*.
(or)
This change added tests and can be verified as follows:
<!--*(example:)*
- *Added dolphinscheduler-dao tests for end-to-end.*
- *Added CronUtilsTest to verify the change.*
- *Manually verified the change by testing locally.* -->
(or)
If your pull request contain incompatible change, you should also add it to `docs/docs/en/guide/upgrede/incompatible.md`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] sonarcloud[bot] commented on pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#issuecomment-1348841747
Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/dashboard?id=apache-dolphinscheduler&pullRequest=13164)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL) [5 Code Smells](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_coverage&view=list) [69.0% Coverage](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_duplicated_lines_density&view=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] hdygxsj commented on a diff in pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
hdygxsj commented on code in PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#discussion_r1048170024
##########
dolphinscheduler-ui/src/service/service.ts:
##########
@@ -74,9 +74,12 @@ const err = (err: AxiosError): Promise<AxiosError> => {
service.interceptors.request.use((config: AxiosRequestConfig<any>) => {
config.headers && (config.headers.sessionId = userStore.getSessionId)
const language = cookies.get('language')
+ const sessionId = cookies.get('sessionId')
config.headers = config.headers || {}
if (language) config.headers.language = language
-
+ if (sessionId) {
+ config.headers['X-CSRF-TOKEN'] = sessionId.split('').reverse().join('')
Review Comment:
My current thoughts are as follows,
1. Use the asymmetric encryption algorithm to encrypt. When the front-end end obtains the sessionId, encrypt it using the public key and store the ciphertext persistently using pinia. When the back-end interceptor receives the X-CSRF-TOKEN, decrypt it with the private key and compare it with the sessionId. This comes at the cost of reducing the throughput of the request.
2. Or the back end can provide a get api for obtaining a token. The back end generates the token and persists it in the database. However, I feel that the io cost of querying the database should be higher than that of decrypting.
If the above methods are OK, I can also implement it in this pr
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] sonarcloud[bot] commented on pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#issuecomment-1349049665
Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/dashboard?id=apache-dolphinscheduler&pullRequest=13164)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL) [4 Code Smells](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_coverage&view=list) [69.0% Coverage](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_duplicated_lines_density&view=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] sonarcloud[bot] commented on pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#issuecomment-1348721884
Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/dashboard?id=apache-dolphinscheduler&pullRequest=13164)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL) [2 Code Smells](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_coverage&view=list) [64.9% Coverage](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_duplicated_lines_density&view=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] kezhenxu94 commented on pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
kezhenxu94 commented on PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#issuecomment-1376882978
Close in favor of https://github.com/apache/dolphinscheduler/pull/13235, 13235 would be a more neat implementation
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] sonarcloud[bot] commented on pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#issuecomment-1348955460
Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/dashboard?id=apache-dolphinscheduler&pullRequest=13164)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL) [4 Code Smells](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_coverage&view=list) [69.0% Coverage](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_duplicated_lines_density&view=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] sonarcloud[bot] commented on pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#issuecomment-1348860835
Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/dashboard?id=apache-dolphinscheduler&pullRequest=13164)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL) [5 Code Smells](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_coverage&view=list) [69.0% Coverage](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_duplicated_lines_density&view=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] codecov-commenter commented on pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
codecov-commenter commented on PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#issuecomment-1348923689
# [Codecov](https://codecov.io/gh/apache/dolphinscheduler/pull/13164?src=pr&el=h1&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) Report
> Merging [#13164](https://codecov.io/gh/apache/dolphinscheduler/pull/13164?src=pr&el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (bcd2799) into [dev](https://codecov.io/gh/apache/dolphinscheduler/commit/ab96a3d0c01182b5b914540b8c3584141abe1f55?el=desc&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) (ab96a3d) will **increase** coverage by `0.06%`.
> The diff coverage is `59.37%`.
```diff
@@ Coverage Diff @@
## dev #13164 +/- ##
============================================
+ Coverage 39.35% 39.42% +0.06%
- Complexity 4259 4276 +17
============================================
Files 1066 1067 +1
Lines 40175 40310 +135
Branches 4617 4616 -1
============================================
+ Hits 15812 15891 +79
- Misses 22590 22635 +45
- Partials 1773 1784 +11
```
| [Impacted Files](https://codecov.io/gh/apache/dolphinscheduler/pull/13164?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | Coverage Δ | |
|---|---|---|
| [...cheduler/api/interceptor/CsrfTokenInterceptor.java](https://codecov.io/gh/apache/dolphinscheduler/pull/13164/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZG9scGhpbnNjaGVkdWxlci1hcGkvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2RvbHBoaW5zY2hlZHVsZXIvYXBpL2ludGVyY2VwdG9yL0NzcmZUb2tlbkludGVyY2VwdG9yLmphdmE=) | `43.47% <43.47%> (ø)` | |
| [...nscheduler/api/configuration/AppConfiguration.java](https://codecov.io/gh/apache/dolphinscheduler/pull/13164/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZG9scGhpbnNjaGVkdWxlci1hcGkvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2RvbHBoaW5zY2hlZHVsZXIvYXBpL2NvbmZpZ3VyYXRpb24vQXBwQ29uZmlndXJhdGlvbi5qYXZh) | `94.87% <100.00%> (+0.93%)` | :arrow_up: |
| [...erver/master/processor/queue/TaskEventService.java](https://codecov.io/gh/apache/dolphinscheduler/pull/13164/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZG9scGhpbnNjaGVkdWxlci1tYXN0ZXIvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2RvbHBoaW5zY2hlZHVsZXIvc2VydmVyL21hc3Rlci9wcm9jZXNzb3IvcXVldWUvVGFza0V2ZW50U2VydmljZS5qYXZh) | `69.64% <0.00%> (-10.72%)` | :arrow_down: |
| [...dolphinscheduler/remote/future/ResponseFuture.java](https://codecov.io/gh/apache/dolphinscheduler/pull/13164/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZG9scGhpbnNjaGVkdWxlci1yZW1vdGUvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2RvbHBoaW5zY2hlZHVsZXIvcmVtb3RlL2Z1dHVyZS9SZXNwb25zZUZ1dHVyZS5qYXZh) | `81.96% <0.00%> (-1.64%)` | :arrow_down: |
| [...hinscheduler/plugin/alert/script/ScriptSender.java](https://codecov.io/gh/apache/dolphinscheduler/pull/13164/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZG9scGhpbnNjaGVkdWxlci1hbGVydC9kb2xwaGluc2NoZWR1bGVyLWFsZXJ0LXBsdWdpbnMvZG9scGhpbnNjaGVkdWxlci1hbGVydC1zY3JpcHQvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2RvbHBoaW5zY2hlZHVsZXIvcGx1Z2luL2FsZXJ0L3NjcmlwdC9TY3JpcHRTZW5kZXIuamF2YQ==) | `70.58% <0.00%> (-1.64%)` | :arrow_down: |
| [...pache/dolphinscheduler/common/utils/JSONUtils.java](https://codecov.io/gh/apache/dolphinscheduler/pull/13164/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZG9scGhpbnNjaGVkdWxlci1jb21tb24vc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2RvbHBoaW5zY2hlZHVsZXIvY29tbW9uL3V0aWxzL0pTT05VdGlscy5qYXZh) | `52.72% <0.00%> (-1.48%)` | :arrow_down: |
| [...cheduler/plugin/alert/dingtalk/DingTalkSender.java](https://codecov.io/gh/apache/dolphinscheduler/pull/13164/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZG9scGhpbnNjaGVkdWxlci1hbGVydC9kb2xwaGluc2NoZWR1bGVyLWFsZXJ0LXBsdWdpbnMvZG9scGhpbnNjaGVkdWxlci1hbGVydC1kaW5ndGFsay9zcmMvbWFpbi9qYXZhL29yZy9hcGFjaGUvZG9scGhpbnNjaGVkdWxlci9wbHVnaW4vYWxlcnQvZGluZ3RhbGsvRGluZ1RhbGtTZW5kZXIuamF2YQ==) | `34.13% <0.00%> (-0.78%)` | :arrow_down: |
| [.../org/apache/dolphinscheduler/common/graph/DAG.java](https://codecov.io/gh/apache/dolphinscheduler/pull/13164/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZG9scGhpbnNjaGVkdWxlci1jb21tb24vc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2RvbHBoaW5zY2hlZHVsZXIvY29tbW9uL2dyYXBoL0RBRy5qYXZh) | `94.48% <0.00%> (-0.75%)` | :arrow_down: |
| [...inscheduler/api/controller/ExecutorController.java](https://codecov.io/gh/apache/dolphinscheduler/pull/13164/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZG9scGhpbnNjaGVkdWxlci1hcGkvc3JjL21haW4vamF2YS9vcmcvYXBhY2hlL2RvbHBoaW5zY2hlZHVsZXIvYXBpL2NvbnRyb2xsZXIvRXhlY3V0b3JDb250cm9sbGVyLmphdmE=) | `18.98% <0.00%> (-0.75%)` | :arrow_down: |
| [...lphinscheduler/service/task/TaskPluginManager.java](https://codecov.io/gh/apache/dolphinscheduler/pull/13164/diff?src=pr&el=tree&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation#diff-ZG9scGhpbnNjaGVkdWxlci1zZXJ2aWNlL3NyYy9tYWluL2phdmEvb3JnL2FwYWNoZS9kb2xwaGluc2NoZWR1bGVyL3NlcnZpY2UvdGFzay9UYXNrUGx1Z2luTWFuYWdlci5qYXZh) | `2.77% <0.00%> (-0.56%)` | :arrow_down: |
| ... and [46 more](https://codecov.io/gh/apache/dolphinscheduler/pull/13164/diff?src=pr&el=tree-more&utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation) | |
:mega: We’re building smart automated test selection to slash your CI/CD build times. [Learn more](https://about.codecov.io/iterative-testing/?utm_medium=referral&utm_source=github&utm_content=comment&utm_campaign=pr+comments&utm_term=The+Apache+Software+Foundation)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] hdygxsj commented on a diff in pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
hdygxsj commented on code in PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#discussion_r1048170024
##########
dolphinscheduler-ui/src/service/service.ts:
##########
@@ -74,9 +74,12 @@ const err = (err: AxiosError): Promise<AxiosError> => {
service.interceptors.request.use((config: AxiosRequestConfig<any>) => {
config.headers && (config.headers.sessionId = userStore.getSessionId)
const language = cookies.get('language')
+ const sessionId = cookies.get('sessionId')
config.headers = config.headers || {}
if (language) config.headers.language = language
-
+ if (sessionId) {
+ config.headers['X-CSRF-TOKEN'] = sessionId.split('').reverse().join('')
Review Comment:
My current thoughts are as follows,
1. Use the asymmetric encryption algorithm to encrypt. When the front-end end obtains the sessionId, encrypt it using the public key and store the ciphertext persistently using pinia. When the back-end interceptor receives the X-CSRF-TOKEN, decrypt it with the private key and compare it with the sessionId. This comes at the cost of reducing the throughput of the request.
2. Or the back end can provide a get api for obtaining a token. The back end generates the token and persists it in the database. However, I feel that the io cost of querying the database should be higher than that of decrypting.
If the above methods are OK, I can also implement it in this pr
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] hdygxsj commented on pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
hdygxsj commented on PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#issuecomment-1359594040
> Hi @hdygxsj , DS community holds an online bi-weekly meeting. You are very welcome to bring up this topic for discussion during the meeting if you'd like to. Thanks : )
>
> Here is the link: https://docs.qq.com/doc/DQ3BGVHZ1bXp5R2FZ
I will be attending the meeting. In addition, I added the implementation using spring security, see pr #13235
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] sonarcloud[bot] commented on pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#issuecomment-1349052667
Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/dashboard?id=apache-dolphinscheduler&pullRequest=13164)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL) [4 Code Smells](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_coverage&view=list) [69.0% Coverage](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_duplicated_lines_density&view=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] hdygxsj commented on pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
hdygxsj commented on PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#issuecomment-1350460132
> Please check the failed CI.
done
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] kezhenxu94 closed pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
kezhenxu94 closed pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
URL: https://github.com/apache/dolphinscheduler/pull/13164
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] EricGao888 commented on pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
EricGao888 commented on PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#issuecomment-1357164203
Hi @hdygxsj , DS community holds an online bi-weekly meeting. You are very welcome to bring up this topic for discussion during the meeting if you'd like to. Thanks : )
Here is the link:
https://docs.qq.com/doc/DQ3BGVHZ1bXp5R2FZ
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] sonarcloud[bot] commented on pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#issuecomment-1348730913
Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/dashboard?id=apache-dolphinscheduler&pullRequest=13164)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL) [2 Code Smells](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_coverage&view=list) [64.9% Coverage](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_duplicated_lines_density&view=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] EricGao888 commented on a diff in pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
EricGao888 commented on code in PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#discussion_r1048127023
##########
dolphinscheduler-ui/src/service/service.ts:
##########
@@ -74,9 +74,12 @@ const err = (err: AxiosError): Promise<AxiosError> => {
service.interceptors.request.use((config: AxiosRequestConfig<any>) => {
config.headers && (config.headers.sessionId = userStore.getSessionId)
const language = cookies.get('language')
+ const sessionId = cookies.get('sessionId')
config.headers = config.headers || {}
if (language) config.headers.language = language
-
+ if (sessionId) {
+ config.headers['X-CSRF-TOKEN'] = sessionId.split('').reverse().join('')
Review Comment:
Currently, you invert the sessionId to get a `CSRF` token and put it in headers in front-end. As you wrote in PR change log, you plan to encrypt it in the future, may I ask where and how you plan to encrypt it?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] sonarcloud[bot] commented on pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
sonarcloud[bot] commented on PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#issuecomment-1348987280
Kudos, SonarCloud Quality Gate passed! [](https://sonarcloud.io/dashboard?id=apache-dolphinscheduler&pullRequest=13164)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=BUG)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=VULNERABILITY)
[](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=SECURITY_HOTSPOT)
[](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL) [4 Code Smells](https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&pullRequest=13164&resolved=false&types=CODE_SMELL)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_coverage&view=list) [69.0% Coverage](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_coverage&view=list)
[](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_duplicated_lines_density&view=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache-dolphinscheduler&pullRequest=13164&metric=new_duplicated_lines_density&view=list)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] EricGao888 commented on a diff in pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
EricGao888 commented on code in PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#discussion_r1050392206
##########
dolphinscheduler-ui/src/service/service.ts:
##########
@@ -74,9 +74,12 @@ const err = (err: AxiosError): Promise<AxiosError> => {
service.interceptors.request.use((config: AxiosRequestConfig<any>) => {
config.headers && (config.headers.sessionId = userStore.getSessionId)
const language = cookies.get('language')
+ const sessionId = cookies.get('sessionId')
config.headers = config.headers || {}
if (language) config.headers.language = language
-
+ if (sessionId) {
+ config.headers['X-CSRF-TOKEN'] = sessionId.split('').reverse().join('')
Review Comment:
WDYT? @kezhenxu94 @caishunfeng
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [dolphinscheduler] EricGao888 commented on a diff in pull request #13164: [Improvement][Security]Add CSRF protection(issue-12931)
Posted by GitBox <gi...@apache.org>.
EricGao888 commented on code in PR #13164:
URL: https://github.com/apache/dolphinscheduler/pull/13164#discussion_r1050392206
##########
dolphinscheduler-ui/src/service/service.ts:
##########
@@ -74,9 +74,12 @@ const err = (err: AxiosError): Promise<AxiosError> => {
service.interceptors.request.use((config: AxiosRequestConfig<any>) => {
config.headers && (config.headers.sessionId = userStore.getSessionId)
const language = cookies.get('language')
+ const sessionId = cookies.get('sessionId')
config.headers = config.headers || {}
if (language) config.headers.language = language
-
+ if (sessionId) {
+ config.headers['X-CSRF-TOKEN'] = sessionId.split('').reverse().join('')
Review Comment:
WDYT? @kezhenxu94 @caishunfeng @SbloodyS
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org