github-code-scanning[bot] commented on code in PR #12003:
URL: https://github.com/apache/dolphinscheduler/pull/12003#discussion_r973198230
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/DataAnalysisServiceImpl.java:
##########
@@ -156,10 +158,7 @@
Map<String, Object> result = new HashMap<>();
if (projectCode != 0) {
Project project = projectMapper.queryByCode(projectCode);
- result = projectService.checkProjectAndAuth(loginUser, project,
projectCode, PROJECT_OVERVIEW);
- if (result.get(Constants.STATUS) != Status.SUCCESS) {
- return result;
- }
+ projectService.checkProjectAuth(loginUser, project,
PROJECT_OVERVIEW);
Review Comment:
## User-controlled bypass of sensitive method
Sensitive method may not be executed depending on [this condition](1), which
flows from [user input](2).
Sensitive method may not be executed depending on [this condition](1), which
flows from [user input](3).
[Show more
details](https://github.com/apache/dolphinscheduler/security/code-scanning/1331)
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ProjectServiceImpl.java:
##########
@@ -185,43 +182,16 @@
public Map<String, Object> queryByName(User loginUser, String projectName)
{
Map<String, Object> result = new HashMap<>();
Project project = projectMapper.queryByName(projectName);
- boolean hasProjectAndPerm = hasProjectAndPerm(loginUser, project,
result, PROJECT);
- if (!hasProjectAndPerm) {
- return result;
- }
+ checkProjectAuth(loginUser, project, PROJECT);
if (project != null) {
result.put(Constants.DATA_LIST, project);
putMsg(result, Status.SUCCESS);
}
return result;
}
- /**
- * check project and authorization
- *
- * @param loginUser login user
- * @param project project
- * @param projectCode project code
- * @return true if the login user have permission to see the project
- */
- @Override
- public Map<String, Object> checkProjectAndAuth(User loginUser, Project
project, long projectCode,
- String permission) {
- Map<String, Object> result = new HashMap<>();
- if (project == null) {
- putMsg(result, Status.PROJECT_NOT_EXIST);
- } else if (!canOperatorPermissions(loginUser, new
Object[]{project.getId()}, AuthorizationType.PROJECTS,
- permission)) {
- // check read permission
- putMsg(result, Status.USER_NO_OPERATION_PROJECT_PERM,
loginUser.getUserName(), projectCode);
- } else {
- putMsg(result, Status.SUCCESS);
- }
- return result;
- }
-
- public void checkProjectAndAuthThrowException(@NonNull User loginUser,
@Nullable Project project,
- String permission) {
+ public void checkProjectAuth(@NonNull User loginUser, @Nullable Project
project,
Review Comment:
## Missing Override annotation
This method overrides [ProjectService.checkProjectAuth](1); it is advisable
to add an Override annotation.
[Show more
details](https://github.com/apache/dolphinscheduler/security/code-scanning/1325)
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/TaskDefinitionServiceImpl.java:
##########
@@ -777,8 +799,10 @@
case ONLINE:
String resourceIds = taskDefinition.getResourceIds();
if (StringUtils.isNotBlank(resourceIds)) {
- Integer[] resourceIdArray =
Arrays.stream(resourceIds.split(",")).map(Integer::parseInt).toArray(Integer[]::new);
- PermissionCheck<Integer> permissionCheck = new
PermissionCheck(AuthorizationType.RESOURCE_FILE_ID, processService,
resourceIdArray, loginUser.getId(), logger);
+ Integer[] resourceIdArray =
+
Arrays.stream(resourceIds.split(",")).map(Integer::parseInt).toArray(Integer[]::new);
Review Comment:
## Missing catch of NumberFormatException
Potential uncaught 'java.lang.NumberFormatException'.
[Show more
details](https://github.com/apache/dolphinscheduler/security/code-scanning/1330)
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/DataAnalysisServiceImpl.java:
##########
@@ -206,10 +205,7 @@
Map<String, Object> result = new HashMap<>();
if (projectCode != 0) {
Project project = projectMapper.queryByCode(projectCode);
- result = projectService.checkProjectAndAuth(loginUser, project,
projectCode, PROJECT_OVERVIEW);
- if (result.get(Constants.STATUS) != Status.SUCCESS) {
- return result;
- }
+ projectService.checkProjectAuth(loginUser, project,
PROJECT_OVERVIEW);
Review Comment:
## User-controlled bypass of sensitive method
Sensitive method may not be executed depending on [this condition](1), which
flows from [user input](2).
[Show more
details](https://github.com/apache/dolphinscheduler/security/code-scanning/1332)
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/TaskDefinitionServiceImpl.java:
##########
@@ -218,11 +215,14 @@
}
List<ProcessTaskRelationLog> processTaskRelationLogList =
Lists.newArrayList();
if (StringUtils.isNotBlank(upstreamCodes)) {
- Set<Long> upstreamTaskCodes =
Arrays.stream(upstreamCodes.split(Constants.COMMA)).map(Long::parseLong).collect(Collectors.toSet());
+ Set<Long> upstreamTaskCodes =
Arrays.stream(upstreamCodes.split(Constants.COMMA)).map(Long::parseLong)
Review Comment:
## Missing catch of NumberFormatException
Potential uncaught 'java.lang.NumberFormatException'.
[Show more
details](https://github.com/apache/dolphinscheduler/security/code-scanning/1328)
##########
dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/TaskDefinitionServiceImpl.java:
##########
@@ -475,17 +490,22 @@
* @return update result code
*/
@Override
- public Map<String, Object> updateTaskWithUpstream(User loginUser, long
projectCode, long taskCode, String taskDefinitionJsonObj, String upstreamCodes)
{
+ public Map<String, Object> updateTaskWithUpstream(User loginUser, long
projectCode, long taskCode,
+ String
taskDefinitionJsonObj, String upstreamCodes) {
Map<String, Object> result = new HashMap<>();
- TaskDefinitionLog taskDefinitionToUpdate = updateTask(loginUser,
projectCode, taskCode, taskDefinitionJsonObj, result);
+ TaskDefinitionLog taskDefinitionToUpdate =
+ updateTask(loginUser, projectCode, taskCode,
taskDefinitionJsonObj, result);
if (result.get(Constants.STATUS) != Status.SUCCESS &&
taskDefinitionToUpdate == null) {
return result;
}
- List<ProcessTaskRelation> upstreamTaskRelations =
processTaskRelationMapper.queryUpstreamByCode(projectCode, taskCode);
- Set<Long> upstreamCodeSet =
upstreamTaskRelations.stream().map(ProcessTaskRelation::getPreTaskCode).collect(Collectors.toSet());
+ List<ProcessTaskRelation> upstreamTaskRelations =
+ processTaskRelationMapper.queryUpstreamByCode(projectCode,
taskCode);
+ Set<Long> upstreamCodeSet =
+
upstreamTaskRelations.stream().map(ProcessTaskRelation::getPreTaskCode).collect(Collectors.toSet());
Set<Long> upstreamTaskCodes = Collections.emptySet();
if (StringUtils.isNotEmpty(upstreamCodes)) {
- upstreamTaskCodes =
Arrays.stream(upstreamCodes.split(Constants.COMMA)).map(Long::parseLong).collect(Collectors.toSet());
+ upstreamTaskCodes =
Arrays.stream(upstreamCodes.split(Constants.COMMA)).map(Long::parseLong)
Review Comment:
## Missing catch of NumberFormatException
Potential uncaught 'java.lang.NumberFormatException'.
[Show more
details](https://github.com/apache/dolphinscheduler/security/code-scanning/1329)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
