You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@dolphinscheduler.apache.org by GitBox <gi...@apache.org> on 2022/11/17 06:04:59 UTC

[GitHub] [dolphinscheduler] rickchengx commented on pull request #12917: [Fix-12916] Add permission check when query or download log

rickchengx commented on PR #12917:
URL: https://github.com/apache/dolphinscheduler/pull/12917#issuecomment-1318130833

   > I dont't think it's a bug. It need to be disscussed. cc @ruanwenjun @caishunfeng @EricGao888 @zhongjiajie
   
   Hi, @SbloodyS , thanks for your comment.
   
   Here is an example to illustrate why I think this is a bug:
   
   * `User 1` has a project `project-1`, and an `task-instance-1` (suppose `taskInstanceId`=1)
   * `User 2` has no permission on `project-1` , and he cannot see the `project-1` and the `task-instance-1` on the UI. But he can easily query the log of `task-instance-1` by sending a GET http `/dolphinscheduler/log/detail?taskInstanceId=1&skipLineNum=0&limit=1000`. He only needs to set an `taskInstanceId`, and this id is not randomly generated.
   
   In more serious cases, the logs may contain sensitive information 
   * E.g., the log of `Sqoop` task will output the mysql password (BTW, this problem will be fixed in #11589 )
   Then `User 2` will get the sensitive information to which **he does not have permission**.
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@dolphinscheduler.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org