Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Fix] add resource full name check #15757

Merged
merged 7 commits into from
Mar 25, 2024
Merged

[Fix] add resource full name check #15757

merged 7 commits into from
Mar 25, 2024

Conversation

caishunfeng
Copy link
Contributor

@caishunfeng caishunfeng commented Mar 22, 2024
edited
Loading

Purpose of the pull request

Add the resource full name check during resource operations to avoid illegal paths.

Brief change log

dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java

private void checkFullName(String baseDir, String fullName) {
        if (StringUtils.isNotBlank(fullName) && !StringUtils.startsWith(fullName, baseDir)) {
            throw new ServiceException("Resource file: " + fullName + " is illegal");
        }
    }

Verify this pull request

  • Manually verified the change by testing locally.

@caishunfeng caishunfeng added bug Something isn't working 3.2.2 labels Mar 22, 2024
@caishunfeng caishunfeng self-assigned this Mar 22, 2024
@caishunfeng
Copy link
Contributor Author

caishunfeng commented Mar 22, 2024
edited
Loading

ruanwenjun
ruanwenjun reviewed Mar 25, 2024
View reviewed changes
...ler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java Outdated
Comment on lines 1298 to 1301
if (StringUtils.isEmpty(resTenantCode)) {
return true;
}
return resTenantCode.equals(userTenantCode);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will the resTenantCode be empty?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, when resource create or upload, the resource tenant code is empty. But the better way is to remove checking if not need. I will update it.

dolphinscheduler/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/ResourcesServiceImpl.java

Line 130 in dcc9d64

if (!isUserTenantValid(isAdmin(loginUser), tenantCode, "")) {

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Resource tenant code will be empty when query resources list, so I keep the logic.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK

@codecov-commenter
Copy link

codecov-commenter commented Mar 25, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 78.57143% with 6 lines in your changes are missing coverage. Please review.

Project coverage is 39.09%. Comparing base (dcc9d64) to head (726ecb0).

❗ Current head 726ecb0 differs from pull request most recent head 52c5dca. Consider uploading reports for the commit 52c5dca to get more accurate results

Files Patch % Lines
...heduler/api/service/impl/ResourcesServiceImpl.java 78.57% 5 Missing and 1 partial ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##                dev   #15757      +/-   ##
============================================
- Coverage     39.10%   39.09%   -0.02%     
+ Complexity     4855     4850       -5     
============================================
  Files          1316     1316              
  Lines         44962    44936      -26     
  Branches       4808     4797      -11     
============================================
- Hits          17583    17567      -16     
  Misses        25478    25478              
+ Partials       1901     1891      -10

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions github-actions bot added the UI ui and front end related label Mar 25, 2024
@sonarcloud SonarCloud
Copy link

sonarcloud bot commented Mar 25, 2024

Quality Gate Passed Quality Gate passed

Issues
2 New issues
0 Accepted issues

Measures
0 Security Hotspots
79.5% Coverage on New Code
5.8% Duplication on New Code

See analysis details on SonarCloud

ruanwenjun
ruanwenjun approved these changes Mar 25, 2024
View reviewed changes
Copy link
Member

@ruanwenjun ruanwenjun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ruanwenjun ruanwenjun added this to the 3.2.2 milestone Mar 25, 2024
@caishunfeng caishunfeng merged commit bcf1b67 into apache:dev Mar 25, 2024
60 checks passed
@caishunfeng caishunfeng mentioned this pull request Apr 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ruanwenjun ruanwenjun ruanwenjun approved these changes

@SbloodyS SbloodyS Awaiting requested review from SbloodyS SbloodyS is a code owner

@songjianet songjianet Awaiting requested review from songjianet songjianet is a code owner

@Amy0104 Amy0104 Awaiting requested review from Amy0104

Assignees

@caishunfeng caishunfeng

Labels
3.2.2 backend bug Something isn't working ready-to-merge UI ui and front end related
Projects
None yet
Milestone
3.2.2
Development

Successfully merging this pull request may close these issues.
3 participants
@caishunfeng @codecov-commenter @ruanwenjun