github-advanced-security[bot] commented on code in PR #19236:
URL: https://github.com/apache/druid/pull/19236#discussion_r3012755641
##########
extensions-contrib/druid-iceberg-extensions/src/main/java/org/apache/druid/iceberg/input/IcebergCatalog.java:
##########
@@ -110,7 +152,7 @@
Expression detectedResidual = null;
for (FileScanTask task : tasks) {
- dataFilePaths.add(task.file().location());
+ dataFilePaths.add(task.file().path().toString());
Review Comment:
## Deprecated method or constructor invocation
Invoking [ContentFile.path](1) should be avoided because it has been
deprecated.
[Show more
details](https://github.com/apache/druid/security/code-scanning/10935)
##########
extensions-contrib/druid-iceberg-extensions/src/main/java/org/apache/druid/iceberg/input/IcebergInputSource.java:
##########
@@ -194,19 +196,39 @@
return delegateInputSource;
}
+ /**
+ * Sets the task auth context for accessing the Iceberg catalog with user
credentials.
+ * If the catalog is a {@link RestIcebergCatalog}, the credentials will be
passed to it
+ * for authentication with the REST catalog server.
+ *
+ * @param taskAuthContext the auth context containing credentials, may be
null
+ */
+ public void setTaskAuthContext(@Nullable TaskAuthContext taskAuthContext)
Review Comment:
## Missing Override annotation
This method overrides [TaskAuthContextAware.setTaskAuthContext](1); it is
advisable to add an Override annotation.
[Show more
details](https://github.com/apache/druid/security/code-scanning/10934)
##########
indexing-service/src/main/java/org/apache/druid/indexing/overlord/http/OverlordResource.java:
##########
@@ -185,6 +205,20 @@
throw new ForbiddenException(authResult.getErrorMessage());
}
+ // Inject auth context if provider is configured
+ if (taskAuthContextProvider != null) {
+ final AuthenticationResult authenticationResult =
AuthorizationUtils.authenticationResultFromRequest(req);
+ if (authenticationResult != null) {
+ final TaskAuthContext taskAuthContext =
taskAuthContextProvider.createTaskAuthContext(
+ authenticationResult,
+ task
+ );
Review Comment:
## User-controlled bypass of sensitive method
Sensitive method may not be executed depending on a [this condition](1),
which flows from [user-controlled value](2).
[Show more
details](https://github.com/apache/druid/security/code-scanning/10933)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
