tomsun28 commented on code in PR #3367:
URL: https://github.com/apache/hertzbeat/pull/3367#discussion_r2094439853
##########
hertzbeat-alerter/src/main/java/org/apache/hertzbeat/alert/notice/impl/DingTalkRobotAlertNotifyHandlerImpl.java:
##########
@@ -54,7 +54,15 @@ public void send(NoticeReceiver receiver, NoticeTemplate
noticeTemplate, GroupAl
HttpHeaders headers = new HttpHeaders();
headers.setContentType(MediaType.APPLICATION_JSON);
HttpEntity<DingTalkWebHookDto> httpEntity = new
HttpEntity<>(dingTalkWebHookDto, headers);
- String webHookUrl = alerterProperties.getDingTalkWebhookUrl() +
receiver.getAccessToken();
+ String baseUrl = alerterProperties.getDingTalkWebhookUrl();
+ String accessToken = receiver.getAccessToken();
+ if (StringUtils.isBlank(accessToken) ||
!accessToken.matches("^[a-zA-Z0-9_-]+$")) {
+ throw new AlertNoticeException("Invalid access token provided
for DingTalk webhook.");
+ }
+ String webHookUrl = baseUrl + accessToken;
+ if (!webHookUrl.startsWith(baseUrl)) {
+ throw new AlertNoticeException("Constructed webhook URL does
not match the trusted base URL.");
+ }
Review Comment:
Is this an invalid judgment?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
