suneet-s commented on pull request #10106: URL: https://github.com/apache/druid/pull/10106#issuecomment-652170871
> > It prevents special characters from being used in the authorizer name so that the authorizer can not be abused to access files on the overlord. > > Could you elaborate a bit more on the details in the PR description? The actual issue here isn't clear to me. I don't quite understand how it could be, but is this a security vulnerability? Or is lgtm just complaining about a value that comes from a config? lgtm is complaining about the values coming from an API endpoint. The APIs lgtm flagged are all guarded by a check that only allows druid admins to access them. So in theory, a rogue druid admin could use this API to access the file system. IMO this isn't a huge security concern, since it is currently assumed that a druid admin can access the same files that the druid process can. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@druid.apache.org For additional commands, e-mail: commits-h...@druid.apache.org
