zabetak commented on code in PR #4537:
URL: https://github.com/apache/hive/pull/4537#discussion_r1280491335
##########
jdbc/src/java/org/apache/hive/jdbc/saml/HiveJdbcBrowserClient.java:
##########
@@ -200,10 +206,47 @@ private Map<String, String> getQueryParams(URI ssoUri)
return paramMap;
}
+ /**
+ * The pattern for valid urls (http/s).
+ */
+ private static final Pattern VALID_URL = createValidUrlPattern();
+ private static Pattern createValidUrlPattern() {
+ final String validURLPattern =
Review Comment:
The validation pattern is pretty complex and as Sonar points out it can lead
to Security Hotspots etc. Do we need this check to be that complicated? What
exactly do we want to achieve?
If the intention is to allow only redirection to HTTP, HTTPS, URIs then the
check can be made much simpler by using `URI.getScheme` method. As a matter of
fact the `JdbcBrowserClientContext` or
`org.apache.hive.jdbc.saml.HiveJdbcSamlRedirectStrategy#createLocationURI`
classes may be a better place to impose restrictions around the URI.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
