github-advanced-security[bot] commented on code in PR #17775:
URL: https://github.com/apache/druid/pull/17775#discussion_r1978671355
##########
server/src/main/java/org/apache/druid/server/http/SegmentListerResource.java:
##########
@@ -215,23 +215,131 @@
return null;
}
+ /**
+ * Deprecated.
+ *
+ * @see SegmentListerResource#applyDataSegmentChangeRequests(long,
HistoricalSegmentChangeRequest, HttpServletRequest)
+ */
+ @Deprecated
+ @POST
+ @Path("/changeRequests")
+ @Produces({MediaType.APPLICATION_JSON,
SmileMediaTypes.APPLICATION_JACKSON_SMILE})
+ @Consumes({MediaType.APPLICATION_JSON,
SmileMediaTypes.APPLICATION_JACKSON_SMILE})
+ public void applyDataSegmentChangeRequests(
+ @QueryParam("timeout") long timeout,
+ List<DataSegmentChangeRequest> changeRequestList,
+ @Context final HttpServletRequest req
+ ) throws IOException
+ {
+ if (loadDropRequestHandler == null) {
+ sendErrorResponse(req, HttpServletResponse.SC_NOT_FOUND, "load/drop
handler is not available.");
+ return;
+ }
+
+ if (timeout <= 0) {
+ sendErrorResponse(req, HttpServletResponse.SC_BAD_REQUEST, "timeout must
be positive.");
+ return;
+ }
+
+ if (changeRequestList == null || changeRequestList.isEmpty()) {
+ sendErrorResponse(req, HttpServletResponse.SC_BAD_REQUEST, "No change
requests provided.");
+ return;
+ }
+
+ final ResponseContext context = createContext(req.getHeader("Accept"));
+ final ListenableFuture<List<DataSegmentChangeResponse>> future =
+ loadDropRequestHandler.processBatch(changeRequestList,
SegmentLoadDropHandler.SegmentLoadingMode.NORMAL);
+
+ final AsyncContext asyncContext = req.startAsync();
+
+ asyncContext.addListener(
+ new AsyncListener()
+ {
+ @Override
+ public void onComplete(AsyncEvent event)
+ {
+ }
+
+ @Override
+ public void onTimeout(AsyncEvent event)
+ {
+
+ // HTTP 204 NO_CONTENT is sent to the client.
+ future.cancel(true);
+ event.getAsyncContext().complete();
+ }
+
+ @Override
+ public void onError(AsyncEvent event)
+ {
+ }
+
+ @Override
+ public void onStartAsync(AsyncEvent event)
+ {
+ }
+ }
+ );
+
+ Futures.addCallback(
+ future,
+ new FutureCallback<>()
+ {
+ @Override
+ public void onSuccess(List<DataSegmentChangeResponse> result)
+ {
+ try {
+ HttpServletResponse response = (HttpServletResponse)
asyncContext.getResponse();
+ response.setStatus(HttpServletResponse.SC_OK);
+
context.inputMapper.writerFor(HttpLoadQueuePeon.RESPONSE_ENTITY_TYPE_REF)
+
.writeValue(asyncContext.getResponse().getOutputStream(), result);
+ asyncContext.complete();
+ }
+ catch (Exception ex) {
+ log.debug(ex, "Request timed out or closed already.");
+ }
+ }
+
+ @Override
+ public void onFailure(Throwable th)
+ {
+ try {
+ HttpServletResponse response = (HttpServletResponse)
asyncContext.getResponse();
+ if (th instanceof IllegalArgumentException) {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST,
th.getMessage());
+ } else {
+
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
th.getMessage());
+ }
+ asyncContext.complete();
Review Comment:
## Information exposure through an error message
[Error information](1) can be exposed to an external user.
[Show more
details](https://github.com/apache/druid/security/code-scanning/7716)
##########
server/src/main/java/org/apache/druid/server/http/SegmentListerResource.java:
##########
@@ -215,23 +215,131 @@
return null;
}
+ /**
+ * Deprecated.
+ *
+ * @see SegmentListerResource#applyDataSegmentChangeRequests(long,
HistoricalSegmentChangeRequest, HttpServletRequest)
+ */
+ @Deprecated
+ @POST
+ @Path("/changeRequests")
+ @Produces({MediaType.APPLICATION_JSON,
SmileMediaTypes.APPLICATION_JACKSON_SMILE})
+ @Consumes({MediaType.APPLICATION_JSON,
SmileMediaTypes.APPLICATION_JACKSON_SMILE})
+ public void applyDataSegmentChangeRequests(
+ @QueryParam("timeout") long timeout,
+ List<DataSegmentChangeRequest> changeRequestList,
+ @Context final HttpServletRequest req
+ ) throws IOException
+ {
+ if (loadDropRequestHandler == null) {
+ sendErrorResponse(req, HttpServletResponse.SC_NOT_FOUND, "load/drop
handler is not available.");
+ return;
+ }
+
+ if (timeout <= 0) {
+ sendErrorResponse(req, HttpServletResponse.SC_BAD_REQUEST, "timeout must
be positive.");
+ return;
+ }
+
+ if (changeRequestList == null || changeRequestList.isEmpty()) {
+ sendErrorResponse(req, HttpServletResponse.SC_BAD_REQUEST, "No change
requests provided.");
+ return;
+ }
+
+ final ResponseContext context = createContext(req.getHeader("Accept"));
+ final ListenableFuture<List<DataSegmentChangeResponse>> future =
+ loadDropRequestHandler.processBatch(changeRequestList,
SegmentLoadDropHandler.SegmentLoadingMode.NORMAL);
+
+ final AsyncContext asyncContext = req.startAsync();
+
+ asyncContext.addListener(
+ new AsyncListener()
+ {
+ @Override
+ public void onComplete(AsyncEvent event)
+ {
+ }
+
+ @Override
+ public void onTimeout(AsyncEvent event)
+ {
+
+ // HTTP 204 NO_CONTENT is sent to the client.
+ future.cancel(true);
+ event.getAsyncContext().complete();
+ }
+
+ @Override
+ public void onError(AsyncEvent event)
+ {
+ }
+
+ @Override
+ public void onStartAsync(AsyncEvent event)
+ {
+ }
+ }
+ );
+
+ Futures.addCallback(
+ future,
+ new FutureCallback<>()
+ {
+ @Override
+ public void onSuccess(List<DataSegmentChangeResponse> result)
+ {
+ try {
+ HttpServletResponse response = (HttpServletResponse)
asyncContext.getResponse();
+ response.setStatus(HttpServletResponse.SC_OK);
+
context.inputMapper.writerFor(HttpLoadQueuePeon.RESPONSE_ENTITY_TYPE_REF)
+
.writeValue(asyncContext.getResponse().getOutputStream(), result);
+ asyncContext.complete();
+ }
+ catch (Exception ex) {
+ log.debug(ex, "Request timed out or closed already.");
+ }
+ }
+
+ @Override
+ public void onFailure(Throwable th)
+ {
+ try {
+ HttpServletResponse response = (HttpServletResponse)
asyncContext.getResponse();
+ if (th instanceof IllegalArgumentException) {
+ response.sendError(HttpServletResponse.SC_BAD_REQUEST,
th.getMessage());
+ } else {
+
response.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR,
th.getMessage());
+ }
+ asyncContext.complete();
+ }
+ catch (Exception ex) {
Review Comment:
## Information exposure through an error message
[Error information](1) can be exposed to an external user.
[Error information](2) can be exposed to an external user.
[Error information](3) can be exposed to an external user.
[Error information](4) can be exposed to an external user.
[Show more
details](https://github.com/apache/druid/security/code-scanning/7717)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
