[GitHub] [accumulo] milleruntime commented on a change in pull request #2075: Add fromClassPath Method

Thu, 06 May 2021 12:23:29 -0700 


milleruntime commented on a change in pull request #2075:
URL: https://github.com/apache/accumulo/pull/2075#discussion_r627703570



##########
File path: 
core/src/main/java/org/apache/accumulo/core/clientImpl/ClientInfoImpl.java
##########
@@ -115,6 +120,18 @@ public static Properties toProperties(Path propertiesFile) 
{
     return properties;
   }
 
+  @SuppressFBWarnings(value = "URLCONNECTION_SSRF_FD",
+      justification = "code runs in same security context as user who provided 
propertiesURL")
+  public static Properties toProperties(URL propertiesURL) {
+    Properties properties = new Properties();
+    try (InputStream is = propertiesURL.openStream()) {

Review comment:
       That's a good point. I was just thinking he could do something simple, 
like check to see if the URL ends with a valid extension but that will probably 
get vetted on `load()`. I told @slackwinner that it would be a good exercise to 
figure out how to sanitize a user parameter to prevent malcious code execution.

##########
File path: 
core/src/main/java/org/apache/accumulo/core/clientImpl/ClientInfoImpl.java
##########
@@ -115,6 +120,18 @@ public static Properties toProperties(Path propertiesFile) 
{
     return properties;
   }
 
+  @SuppressFBWarnings(value = "URLCONNECTION_SSRF_FD",
+      justification = "code runs in same security context as user who provided 
propertiesURL")
+  public static Properties toProperties(URL propertiesURL) {
+    Properties properties = new Properties();
+    try (InputStream is = propertiesURL.openStream()) {

Review comment:
       That's a good point. I was just thinking he could do something simple, 
like check to see if the URL ends with a valid extension but that will probably 
get vetted on `load()`. I told @slackwinner that it would be a good exercise to 
figure out how to sanitize a user parameter to prevent malicious code execution.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to