sonatype-lift[bot] commented on code in PR #975: URL: https://github.com/apache/solr/pull/975#discussion_r948381273
########## solr/core/src/java/org/apache/solr/security/AuthorizationUtils.java: ########## @@ -0,0 +1,126 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.solr.security; + +import org.apache.http.HttpStatus; +import org.apache.solr.common.params.SolrParams; +import org.apache.solr.core.CoreContainer; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.lang.invoke.MethodHandles; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; + +import static org.apache.solr.common.cloud.ZkStateReader.COLLECTION_PROP; +import static org.apache.solr.common.params.CollectionParams.CollectionAction.CREATE; +import static org.apache.solr.common.params.CollectionParams.CollectionAction.DELETE; +import static org.apache.solr.common.params.CollectionParams.CollectionAction.RELOAD; +import static org.apache.solr.servlet.HttpSolrCall.shouldAudit; + +public class AuthorizationUtils { + private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); + + private AuthorizationUtils() { /* Private ctor prevents instantiation */} + + public static class AuthorizationFailure { + private final int statusCode; + private final String message; + public AuthorizationFailure(int statusCode, String message) { + this.statusCode = statusCode; + this.message = message; + } + + public int getStatusCode() { return statusCode; } + public String getMessage() { return message; } + } + + public static AuthorizationFailure authorize(HttpServletRequest servletReq, HttpServletResponse response, + CoreContainer cores, AuthorizationContext context) throws IOException { + log.debug("AuthorizationContext : {}", context); + AuthorizationResponse authResponse = cores.getAuthorizationPlugin().authorize(context); Review Comment: 💬 3 similar findings have been found in this PR --- *NULL_DEREFERENCE:* object returned by `cores.getAuthorizationPlugin()` could be null and is dereferenced at line 60. --- <details><summary><b>Expand here to view all instances of this finding</b></summary><br/> <div align="center"> | **File Path** | **Line Number** | | ------------- | ------------- | | solr/core/src/java/org/apache/solr/schema/BBoxField.java | [142](https://github.com/gerlowskija/solr/blob/f2959369e5541d377ee6ef34ae703ab4013b79d5/solr/core/src/java/org/apache/solr/schema/BBoxField.java#L142)| | solr/core/src/java/org/apache/solr/handler/component/QueryComponent.java | [1422](https://github.com/gerlowskija/solr/blob/f2959369e5541d377ee6ef34ae703ab4013b79d5/solr/core/src/java/org/apache/solr/handler/component/QueryComponent.java#L1422)| | solr/core/src/java/org/apache/solr/handler/component/QueryComponent.java | [1512](https://github.com/gerlowskija/solr/blob/f2959369e5541d377ee6ef34ae703ab4013b79d5/solr/core/src/java/org/apache/solr/handler/component/QueryComponent.java#L1512)| <p><a href="https://lift.sonatype.com/results/github.com/apache/solr/01GAPMKNSD4R1GX3CC4ST9P9MV?t=Infer|NULL_DEREFERENCE" target="_blank">Visit the Lift Web Console</a> to find more details in your report.</p></div></details> --- Reply with *"**@sonatype-lift help**"* for info about LiftBot commands. Reply with *"**@sonatype-lift ignore**"* to tell LiftBot to leave out the above finding from this PR. Reply with *"**@sonatype-lift ignoreall**"* to tell LiftBot to leave out all the findings from this PR and from the status bar in Github. When talking to LiftBot, you need to **refresh** the page to see its response. [Click here](https://help.sonatype.com/lift/talking-to-lift) to get to know more about LiftBot commands. --- Was this a good recommendation? [ [🙁 Not relevant](https://www.sonatype.com/lift-comment-rating?comment=317126461&lift_comment_rating=1) ] - [ [😕 Won't fix](https://www.sonatype.com/lift-comment-rating?comment=317126461&lift_comment_rating=2) ] - [ [😑 Not critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=317126461&lift_comment_rating=3) ] - [ [🙂 Critical, will fix](https://www.sonatype.com/lift-comment-rating?comment=317126461&lift_comment_rating=4) ] - [ [😊 Critical, fixing now](https://www.sonatype.com/lift-comment-rating?comment=317126461&lift_comment_rating=5) ] -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org