[GitHub] [dolphinscheduler] github-code-scanning[bot] commented on a diff in pull request #14507: [Improvement][Task Plugin] Improve to access https without ssl certificate for HttpTask

via GitHub Tue, 11 Jul 2023 03:09:03 -0700


github-code-scanning[bot] commented on code in PR #14507:
URL: 
https://github.com/apache/dolphinscheduler/pull/14507#discussion_r1259517822



##########
dolphinscheduler-task-plugin/dolphinscheduler-task-http/src/main/java/org/apache/dolphinscheduler/plugin/task/http/HttpTask.java:
##########
@@ -287,10 +292,29 @@
      *
      * @return CloseableHttpClient
      */
-    protected CloseableHttpClient createHttpClient() {
+    protected CloseableHttpClient createHttpClient() throws Exception {
         final RequestConfig requestConfig = requestConfig();
         HttpClientBuilder httpClientBuilder;
         httpClientBuilder = 
HttpClients.custom().setDefaultRequestConfig(requestConfig);
+        if (httpParameters.getEnableSSL()) {
+            TrustManager[] trustAllCerts = new TrustManager[]{new 
X509TrustManager() {
+
+                public java.security.cert.X509Certificate[] 
getAcceptedIssuers() {
+                    return null;
+                }
+
+                public void 
checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) 
{
+                }
+
+                public void 
checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) 
{

Review Comment:
   ## Server certificates should be verified during SSL/TLS connections
   
   <!--SONAR_ISSUE_KEY:AYlEbDwaM3N9SAfx8m18-->Enable server certificate 
validation on this SSL/TLS connection. <p>See more on <a 
href="https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&issues=AYlEbDwaM3N9SAfx8m18&open=AYlEbDwaM3N9SAfx8m18&pullRequest=14507";>SonarCloud</a></p>
   
   [Show more 
details](https://github.com/apache/dolphinscheduler/security/code-scanning/2995)



##########
dolphinscheduler-task-plugin/dolphinscheduler-task-http/src/main/java/org/apache/dolphinscheduler/plugin/task/http/HttpTask.java:
##########
@@ -287,10 +292,29 @@
      *
      * @return CloseableHttpClient
      */
-    protected CloseableHttpClient createHttpClient() {
+    protected CloseableHttpClient createHttpClient() throws Exception {
         final RequestConfig requestConfig = requestConfig();
         HttpClientBuilder httpClientBuilder;
         httpClientBuilder = 
HttpClients.custom().setDefaultRequestConfig(requestConfig);
+        if (httpParameters.getEnableSSL()) {
+            TrustManager[] trustAllCerts = new TrustManager[]{new 
X509TrustManager() {
+
+                public java.security.cert.X509Certificate[] 
getAcceptedIssuers() {
+                    return null;
+                }
+
+                public void 
checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) 
{
+                }
+
+                public void 
checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) 
{
+                }
+            }};
+            SSLContext sslContext = SSLContext.getInstance("TLS");
+            sslContext.init(null, trustAllCerts, new SecureRandom());
+            httpClientBuilder.setSSLContext(sslContext);
+            httpClientBuilder.setSSLHostnameVerifier((s, sslSession) -> true);

Review Comment:
   ## Server hostnames should be verified during SSL/TLS connections
   
   <!--SONAR_ISSUE_KEY:AYlEbDwaM3N9SAfx8m19-->Enable server hostname 
verification on this SSL/TLS connection. <p>See more on <a 
href="https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&issues=AYlEbDwaM3N9SAfx8m19&open=AYlEbDwaM3N9SAfx8m19&pullRequest=14507";>SonarCloud</a></p>
   
   [Show more 
details](https://github.com/apache/dolphinscheduler/security/code-scanning/2996)



##########
dolphinscheduler-task-plugin/dolphinscheduler-task-http/src/main/java/org/apache/dolphinscheduler/plugin/task/http/HttpTask.java:
##########
@@ -287,10 +292,29 @@
      *
      * @return CloseableHttpClient
      */
-    protected CloseableHttpClient createHttpClient() {
+    protected CloseableHttpClient createHttpClient() throws Exception {
         final RequestConfig requestConfig = requestConfig();
         HttpClientBuilder httpClientBuilder;
         httpClientBuilder = 
HttpClients.custom().setDefaultRequestConfig(requestConfig);
+        if (httpParameters.getEnableSSL()) {
+            TrustManager[] trustAllCerts = new TrustManager[]{new 
X509TrustManager() {
+
+                public java.security.cert.X509Certificate[] 
getAcceptedIssuers() {
+                    return null;
+                }
+
+                public void 
checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) 
{

Review Comment:
   ## Server certificates should be verified during SSL/TLS connections
   
   <!--SONAR_ISSUE_KEY:AYlEbDwaM3N9SAfx8m17-->Enable server certificate 
validation on this SSL/TLS connection. <p>See more on <a 
href="https://sonarcloud.io/project/issues?id=apache-dolphinscheduler&issues=AYlEbDwaM3N9SAfx8m17&open=AYlEbDwaM3N9SAfx8m17&pullRequest=14507";>SonarCloud</a></p>
   
   [Show more 
details](https://github.com/apache/dolphinscheduler/security/code-scanning/2994)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[GitHub] [dolphinscheduler] github-code-scanning[bot] commented on a diff in pull request #14507: [Improvement][Task Plugin] Improve to access https without ssl certificate for HttpTask

Reply via email to