(incubator-hugegraph) 01/01: fix: security bug

[vaughn]

This is an automated email from the ASF dual-hosted git repository.

vaughn pushed a commit to branch feat_security
in repository https://gitbox.apache.org/repos/asf/incubator-hugegraph.git

commit 2a3199771e39bce330c06dbfdc6ad9525dfe0196
Author: vaughn.zhang <vaughn.zh...@zoom.us>
AuthorDate: Fri Jan 19 13:49:58 2024 +0800

    fix: security bug
---
 hugegraph-server/hugegraph-api/pom.xml                        |  6 ++++++
 .../org/apache/hugegraph/api/filter/AuthenticationFilter.java | 11 ++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/hugegraph-server/hugegraph-api/pom.xml 
b/hugegraph-server/hugegraph-api/pom.xml
index 459a22e0e..bcfbdbc34 100644
--- a/hugegraph-server/hugegraph-api/pom.xml
+++ b/hugegraph-server/hugegraph-api/pom.xml
@@ -164,6 +164,12 @@
             <artifactId>arthas-packaging</artifactId>
             <version>${arthas.version}</version>
         </dependency>
+      <dependency>
+        <groupId>org.gridkit.jvmtool</groupId>
+        <artifactId>sjk-core</artifactId>
+        <version>0.14</version>
+        <scope>compile</scope>
+      </dependency>
     </dependencies>
 
     <build>
diff --git 
a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java
 
b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java
index d3da3af6d..127b163bd 100644
--- 
a/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java
+++ 
b/hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/api/filter/AuthenticationFilter.java
@@ -41,6 +41,7 @@ import org.apache.hugegraph.util.Log;
 import org.apache.tinkerpop.gremlin.server.auth.AuthenticationException;
 import org.glassfish.grizzly.http.server.Request;
 import org.glassfish.grizzly.utils.Charsets;
+import org.gridkit.jvmtool.cmd.AntPathMatcher;
 import org.slf4j.Logger;
 
 import com.alipay.remoting.util.StringUtils;
@@ -71,10 +72,11 @@ public class AuthenticationFilter implements 
ContainerRequestFilter {
     private static final Logger LOG = Log.logger(AuthenticationFilter.class);
 
     private static final List<String> WHITE_API_LIST = ImmutableList.of(
-            "auth/login",
-            "versions",
-            "openapi.json"
+            "/**/auth/login",
+            "/**/versions",
+            "/**/openapi.json"
     );
+    private static final AntPathMatcher MATCHER = new AntPathMatcher();
 
     private static String whiteIpStatus;
 
@@ -314,9 +316,8 @@ public class AuthenticationFilter implements 
ContainerRequestFilter {
 
     public static boolean isWhiteAPI(ContainerRequestContext context) {
         String path = context.getUriInfo().getPath();
-
         for (String whiteApi : WHITE_API_LIST) {
-            if (path.endsWith(whiteApi)) {
+            if (MATCHER.match(path, whiteApi)) {
                 return true;
             }
         }