You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@dolphinscheduler.apache.org by GitBox <gi...@apache.org> on 2022/09/16 16:28:50 UTC
[GitHub] [dolphinscheduler] github-code-scanning[bot] commented on a diff in pull request #12003: [improve] combine five check project auth into one
github-code-scanning[bot] commented on code in PR #12003:
URL: https://github.com/apache/dolphinscheduler/pull/12003#discussion_r973198230
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/DataAnalysisServiceImpl.java:
##########
@@ -156,10 +158,7 @@
Map<String, Object> result = new HashMap<>();
if (projectCode != 0) {
Project project = projectMapper.queryByCode(projectCode);
- result = projectService.checkProjectAndAuth(loginUser, project, projectCode, PROJECT_OVERVIEW);
- if (result.get(Constants.STATUS) != Status.SUCCESS) {
- return result;
- }
+ projectService.checkProjectAuth(loginUser, project, PROJECT_OVERVIEW);
Review Comment:
## User-controlled bypass of sensitive method
Sensitive method may not be executed depending on [this condition](1), which flows from [user input](2).
Sensitive method may not be executed depending on [this condition](1), which flows from [user input](3).
[Show more details](https://github.com/apache/dolphinscheduler/security/code-scanning/1331)
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ProjectServiceImpl.java:
##########
@@ -185,43 +182,16 @@
public Map<String, Object> queryByName(User loginUser, String projectName) {
Map<String, Object> result = new HashMap<>();
Project project = projectMapper.queryByName(projectName);
- boolean hasProjectAndPerm = hasProjectAndPerm(loginUser, project, result, PROJECT);
- if (!hasProjectAndPerm) {
- return result;
- }
+ checkProjectAuth(loginUser, project, PROJECT);
if (project != null) {
result.put(Constants.DATA_LIST, project);
putMsg(result, Status.SUCCESS);
}
return result;
}
- /**
- * check project and authorization
- *
- * @param loginUser login user
- * @param project project
- * @param projectCode project code
- * @return true if the login user have permission to see the project
- */
- @Override
- public Map<String, Object> checkProjectAndAuth(User loginUser, Project project, long projectCode,
- String permission) {
- Map<String, Object> result = new HashMap<>();
- if (project == null) {
- putMsg(result, Status.PROJECT_NOT_EXIST);
- } else if (!canOperatorPermissions(loginUser, new Object[]{project.getId()}, AuthorizationType.PROJECTS,
- permission)) {
- // check read permission
- putMsg(result, Status.USER_NO_OPERATION_PROJECT_PERM, loginUser.getUserName(), projectCode);
- } else {
- putMsg(result, Status.SUCCESS);
- }
- return result;
- }
-
- public void checkProjectAndAuthThrowException(@NonNull User loginUser, @Nullable Project project,
- String permission) {
+ public void checkProjectAuth(@NonNull User loginUser, @Nullable Project project,
Review Comment:
## Missing Override annotation
This method overrides [ProjectService.checkProjectAuth](1); it is advisable to add an Override annotation.
[Show more details](https://github.com/apache/dolphinscheduler/security/code-scanning/1325)
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/TaskDefinitionServiceImpl.java:
##########
@@ -777,8 +799,10 @@
case ONLINE:
String resourceIds = taskDefinition.getResourceIds();
if (StringUtils.isNotBlank(resourceIds)) {
- Integer[] resourceIdArray = Arrays.stream(resourceIds.split(",")).map(Integer::parseInt).toArray(Integer[]::new);
- PermissionCheck<Integer> permissionCheck = new PermissionCheck(AuthorizationType.RESOURCE_FILE_ID, processService, resourceIdArray, loginUser.getId(), logger);
+ Integer[] resourceIdArray =
+ Arrays.stream(resourceIds.split(",")).map(Integer::parseInt).toArray(Integer[]::new);
Review Comment:
## Missing catch of NumberFormatException
Potential uncaught 'java.lang.NumberFormatException'.
[Show more details](https://github.com/apache/dolphinscheduler/security/code-scanning/1330)
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/DataAnalysisServiceImpl.java:
##########
@@ -206,10 +205,7 @@
Map<String, Object> result = new HashMap<>();
if (projectCode != 0) {
Project project = projectMapper.queryByCode(projectCode);
- result = projectService.checkProjectAndAuth(loginUser, project, projectCode, PROJECT_OVERVIEW);
- if (result.get(Constants.STATUS) != Status.SUCCESS) {
- return result;
- }
+ projectService.checkProjectAuth(loginUser, project, PROJECT_OVERVIEW);
Review Comment:
## User-controlled bypass of sensitive method
Sensitive method may not be executed depending on [this condition](1), which flows from [user input](2).
[Show more details](https://github.com/apache/dolphinscheduler/security/code-scanning/1332)
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/TaskDefinitionServiceImpl.java:
##########
@@ -218,11 +215,14 @@
}
List<ProcessTaskRelationLog> processTaskRelationLogList = Lists.newArrayList();
if (StringUtils.isNotBlank(upstreamCodes)) {
- Set<Long> upstreamTaskCodes = Arrays.stream(upstreamCodes.split(Constants.COMMA)).map(Long::parseLong).collect(Collectors.toSet());
+ Set<Long> upstreamTaskCodes = Arrays.stream(upstreamCodes.split(Constants.COMMA)).map(Long::parseLong)
Review Comment:
## Missing catch of NumberFormatException
Potential uncaught 'java.lang.NumberFormatException'.
[Show more details](https://github.com/apache/dolphinscheduler/security/code-scanning/1328)
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/TaskDefinitionServiceImpl.java:
##########
@@ -475,17 +490,22 @@
* @return update result code
*/
@Override
- public Map<String, Object> updateTaskWithUpstream(User loginUser, long projectCode, long taskCode, String taskDefinitionJsonObj, String upstreamCodes) {
+ public Map<String, Object> updateTaskWithUpstream(User loginUser, long projectCode, long taskCode,
+ String taskDefinitionJsonObj, String upstreamCodes) {
Map<String, Object> result = new HashMap<>();
- TaskDefinitionLog taskDefinitionToUpdate = updateTask(loginUser, projectCode, taskCode, taskDefinitionJsonObj, result);
+ TaskDefinitionLog taskDefinitionToUpdate =
+ updateTask(loginUser, projectCode, taskCode, taskDefinitionJsonObj, result);
if (result.get(Constants.STATUS) != Status.SUCCESS && taskDefinitionToUpdate == null) {
return result;
}
- List<ProcessTaskRelation> upstreamTaskRelations = processTaskRelationMapper.queryUpstreamByCode(projectCode, taskCode);
- Set<Long> upstreamCodeSet = upstreamTaskRelations.stream().map(ProcessTaskRelation::getPreTaskCode).collect(Collectors.toSet());
+ List<ProcessTaskRelation> upstreamTaskRelations =
+ processTaskRelationMapper.queryUpstreamByCode(projectCode, taskCode);
+ Set<Long> upstreamCodeSet =
+ upstreamTaskRelations.stream().map(ProcessTaskRelation::getPreTaskCode).collect(Collectors.toSet());
Set<Long> upstreamTaskCodes = Collections.emptySet();
if (StringUtils.isNotEmpty(upstreamCodes)) {
- upstreamTaskCodes = Arrays.stream(upstreamCodes.split(Constants.COMMA)).map(Long::parseLong).collect(Collectors.toSet());
+ upstreamTaskCodes = Arrays.stream(upstreamCodes.split(Constants.COMMA)).map(Long::parseLong)
Review Comment:
## Missing catch of NumberFormatException
Potential uncaught 'java.lang.NumberFormatException'.
[Show more details](https://github.com/apache/dolphinscheduler/security/code-scanning/1329)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org