BitoAgent commented on code in PR #13786: URL: https://github.com/apache/dubbo/pull/13786#discussion_r1585704539
########## dubbo-rpc/dubbo-rpc-triple/src/main/java/org/apache/dubbo/rpc/protocol/tri/h12/http2/GenericHttp2ServerTransportListener.java: ########## @@ -86,6 +86,7 @@ protected Executor initializeExecutor(Http2Header metadata) { return new SerializingExecutor(executorSupport.getExecutor(metadata)); } + @Override protected void doOnMetadata(Http2Header metadata) { if (metadata.isEndStream()) { if (!HttpMethods.supportBody(metadata.method())) { Review Comment: **Security Issue**: Missing authorization checks in the doOnMetadata method which processes HTTP/2 headers. This could potentially allow unauthorized access to sensitive operations based on metadata content. <br> **Fix**: Implement authorization checks to verify that the user has the necessary permissions to perform operations based on the metadata content. <br> **Code Suggestion**: ``` + if (!authorizeUser(metadata)) { + throw new SecurityException("Unauthorized metadata access"); + } protected void doOnMetadata(Http2Header metadata) { if (metadata.isEndStream()) { if (!HttpMethods.supportBody(metadata.method())) { ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@dubbo.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@dubbo.apache.org For additional commands, e-mail: notifications-h...@dubbo.apache.org