You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by GitBox <gi...@apache.org> on 2022/05/05 07:51:51 UTC
[GitHub] [lucene] sonatype-lift[bot] commented on a diff in pull request #868: LUCENE-10558: Implement URL ctor to support classpath usage in Kuromoji and Nori dictionaries
sonatype-lift[bot] commented on code in PR #868:
URL: https://github.com/apache/lucene/pull/868#discussion_r865638824
##########
lucene/analysis/kuromoji/src/java/org/apache/lucene/analysis/ja/dict/ConnectionCosts.java:
##########
@@ -63,6 +65,17 @@ public ConnectionCosts(Path connectionCostsFile) throws IOException {
this(() -> Files.newInputStream(connectionCostsFile));
}
+ /**
+ * Create a {@link ConnectionCosts} from an external resource URL (e.g. from Classpath with {@link
+ * ClassLoader#getResource(String)}).
+ *
+ * @param connectionCostsUrl where to load connection costs resource
+ * @throws IOException if resource was not found or broken
+ */
+ public ConnectionCosts(URL connectionCostsUrl) throws IOException {
+ this(() -> connectionCostsUrl.openStream());
Review Comment:
*[URLCONNECTION_SSRF_FD](https://find-sec-bugs.github.io/bugs.htm#URLCONNECTION_SSRF_FD):* This web server request could be used by an attacker to expose internal services and filesystem.
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)
---
Was this a good recommendation?
[ [🙁 Not relevant](https://www.sonatype.com/lift-comment-rating?comment=204460545&lift_comment_rating=1) ] - [ [😕 Won't fix](https://www.sonatype.com/lift-comment-rating?comment=204460545&lift_comment_rating=2) ] - [ [😑 Not critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=204460545&lift_comment_rating=3) ] - [ [🙂 Critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=204460545&lift_comment_rating=4) ] - [ [😊 Critical, fixing now](https://www.sonatype.com/lift-comment-rating?comment=204460545&lift_comment_rating=5) ]
##########
lucene/analysis/kuromoji/src/java/org/apache/lucene/analysis/ja/dict/TokenInfoDictionary.java:
##########
@@ -82,6 +84,25 @@ public TokenInfoDictionary(Path targetMapFile, Path posDictFile, Path dictFile,
() -> Files.newInputStream(fstFile));
}
+ /**
+ * Create a {@link TokenInfoDictionary} from an external resource URL (e.g. from Classpath with
+ * {@link ClassLoader#getResource(String)}).
+ *
+ * @param targetMapUrl where to load target map resource
+ * @param posDictUrl where to load POS dictionary resource
+ * @param dictUrl where to load dictionary entries resource
+ * @param fstUrl where to load encoded FST data resource
+ * @throws IOException if resource was not found or broken
+ */
+ public TokenInfoDictionary(URL targetMapUrl, URL posDictUrl, URL dictUrl, URL fstUrl)
+ throws IOException {
+ this(
+ () -> targetMapUrl.openStream(),
+ () -> posDictUrl.openStream(),
Review Comment:
*[URLCONNECTION_SSRF_FD](https://find-sec-bugs.github.io/bugs.htm#URLCONNECTION_SSRF_FD):* This web server request could be used by an attacker to expose internal services and filesystem.
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)
---
Was this a good recommendation?
[ [🙁 Not relevant](https://www.sonatype.com/lift-comment-rating?comment=204460555&lift_comment_rating=1) ] - [ [😕 Won't fix](https://www.sonatype.com/lift-comment-rating?comment=204460555&lift_comment_rating=2) ] - [ [😑 Not critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=204460555&lift_comment_rating=3) ] - [ [🙂 Critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=204460555&lift_comment_rating=4) ] - [ [😊 Critical, fixing now](https://www.sonatype.com/lift-comment-rating?comment=204460555&lift_comment_rating=5) ]
##########
lucene/analysis/kuromoji/src/java/org/apache/lucene/analysis/ja/dict/TokenInfoDictionary.java:
##########
@@ -82,6 +84,25 @@ public TokenInfoDictionary(Path targetMapFile, Path posDictFile, Path dictFile,
() -> Files.newInputStream(fstFile));
}
+ /**
+ * Create a {@link TokenInfoDictionary} from an external resource URL (e.g. from Classpath with
+ * {@link ClassLoader#getResource(String)}).
+ *
+ * @param targetMapUrl where to load target map resource
+ * @param posDictUrl where to load POS dictionary resource
+ * @param dictUrl where to load dictionary entries resource
+ * @param fstUrl where to load encoded FST data resource
+ * @throws IOException if resource was not found or broken
+ */
+ public TokenInfoDictionary(URL targetMapUrl, URL posDictUrl, URL dictUrl, URL fstUrl)
+ throws IOException {
+ this(
+ () -> targetMapUrl.openStream(),
+ () -> posDictUrl.openStream(),
+ () -> dictUrl.openStream(),
Review Comment:
*[URLCONNECTION_SSRF_FD](https://find-sec-bugs.github.io/bugs.htm#URLCONNECTION_SSRF_FD):* This web server request could be used by an attacker to expose internal services and filesystem.
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with `help` or `ignore`)
---
Was this a good recommendation?
[ [🙁 Not relevant](https://www.sonatype.com/lift-comment-rating?comment=204460571&lift_comment_rating=1) ] - [ [😕 Won't fix](https://www.sonatype.com/lift-comment-rating?comment=204460571&lift_comment_rating=2) ] - [ [😑 Not critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=204460571&lift_comment_rating=3) ] - [ [🙂 Critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=204460571&lift_comment_rating=4) ] - [ [😊 Critical, fixing now](https://www.sonatype.com/lift-comment-rating?comment=204460571&lift_comment_rating=5) ]
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org