github-advanced-security[bot] commented on code in PR #7648: URL: https://github.com/apache/incubator-seata/pull/7648#discussion_r2368299975
########## console/src/main/java/org/apache/seata/console/filter/MCPBusinessDataSourceFilter.java: ########## @@ -0,0 +1,69 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.seata.console.filter; + +import org.apache.seata.mcp.entity.pojo.BusinessDataSourcesProperties; +import org.jetbrains.annotations.NotNull; +import org.springframework.http.HttpStatus; +import org.springframework.web.filter.OncePerRequestFilter; + +import javax.servlet.FilterChain; +import javax.servlet.ServletException; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; +import java.util.Set; +import java.util.concurrent.ConcurrentHashMap; + +public class MCPBusinessDataSourceFilter extends OncePerRequestFilter { + + private final BusinessDataSourcesProperties businessDataSourcesProperties; + + private final Set<String> processedConfigs = ConcurrentHashMap.newKeySet(); + + public MCPBusinessDataSourceFilter(BusinessDataSourcesProperties properties) { + this.businessDataSourcesProperties = properties; + } + + @Override + protected void doFilterInternal( + HttpServletRequest request, @NotNull HttpServletResponse response, @NotNull FilterChain filterChain) + throws ServletException, IOException { + String combinedHeader = request.getHeader("X-DB-Config"); + if (combinedHeader != null && !combinedHeader.isEmpty()) { + String[] jsonConfigs = combinedHeader.split(";"); + for (String jsonDBConfig : jsonConfigs) { + if (processedConfigs.contains(jsonDBConfig.trim())) { + continue; + } + try { + businessDataSourcesProperties.registerDataSourceFromJson(jsonDBConfig.trim()); + processedConfigs.add(jsonDBConfig.trim()); + } catch (Exception e) { + if (!response.isCommitted()) { + response.sendError( + HttpStatus.BAD_REQUEST.value(), + "The business database parameter in the request header is incorrect: " + + e.getMessage()); Review Comment: ## Information exposure through an error message [Error information](1) can be exposed to an external user. [Error information](2) can be exposed to an external user. [Error information](3) can be exposed to an external user. [Show more details](https://github.com/apache/incubator-seata/security/code-scanning/48) ########## server/src/main/java/org/apache/seata/server/console/impl/file/ServerLogFileServiceImpl.java: ########## @@ -0,0 +1,125 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.seata.server.console.impl.file; + +import org.apache.seata.common.ConfigurationKeys; +import org.apache.seata.server.console.entity.param.ServerLogParam; +import org.apache.seata.server.console.service.ServerLogService; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.core.env.Environment; +import org.springframework.http.HttpHeaders; +import org.springframework.http.HttpStatus; +import org.springframework.http.MediaType; +import org.springframework.http.ResponseEntity; +import org.springframework.stereotype.Service; +import org.springframework.web.servlet.mvc.method.annotation.StreamingResponseBody; + +import java.io.*; +import java.nio.channels.Channels; +import java.nio.channels.ClosedChannelException; +import java.nio.channels.FileChannel; +import java.nio.file.Files; +import java.nio.file.Path; +import java.nio.file.Paths; +import java.nio.file.StandardOpenOption; + +@Service +public class ServerLogFileServiceImpl implements ServerLogService { + + @Autowired + private Environment env; + + private static final String DEFAULT_APP_NAME = "seata-server"; + + private static final Integer MAX_LOG_FILE_SIZE = 500 * 1024 * 1024; // 500MB + + private final Logger LOGGER = LoggerFactory.getLogger(ServerLogFileServiceImpl.class); + + @Override + public ResponseEntity<StreamingResponseBody> getServerLogFile(ServerLogParam serverLogParam) { + String logPathString = buildLogFilePath(serverLogParam); + Path logPath = Paths.get(logPathString); + if (Files.exists(logPath)) { Review Comment: ## Uncontrolled data used in path expression This path depends on a [user-provided value](1). [Show more details](https://github.com/apache/incubator-seata/security/code-scanning/49) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
