FrankChen021 commented on code in PR #19572:
URL: https://github.com/apache/druid/pull/19572#discussion_r3395962163
##########
sql/src/main/java/org/apache/druid/sql/AbstractStatement.java:
##########
@@ -90,6 +91,24 @@ public AbstractStatement(
this.authContextKeys = queryPlus.authContextKeys();
this.queryContext = new HashMap<>(queryPlus.context());
sqlToolbox.engine.initContextMap(this.queryContext);
+ // Anti-spoof + propagation for reserved request-header context keys,
mirroring
+ // QueryLifecycle.initialize() on the native path. A client must not be
able to set a
+ // value for one of these keys via the SQL body context; the only
legitimate source is
+ // a filter-captured inbound header (RequestHeaderContext). Unlike the
native path,
+ // queryContext here is a fresh mutable map that IS the authoritative
context (it is not
+ // re-merged over the request body), so we can simply remove uncaptured
keys rather than
+ // overriding them to null. This sanitizes both the SQL request log and
the context handed
+ // to the planner; generated native sub-queries are additionally sanitized
by
+ // QueryLifecycle.initialize().
+ final Map<String, String> capturedHeaders = RequestHeaderContext.current();
+ for (String reservedKey :
sqlToolbox.requestHeaderContextConfig.getHeaderToContextKey().values()) {
+ final String capturedValue = capturedHeaders.get(reservedKey);
+ if (capturedValue != null) {
+ this.queryContext.put(reservedKey, capturedValue);
Review Comment:
[P2] Authorize header-injected SQL context keys
The native QueryLifecycle path now adds captured header keys to the
authorized userContextKeys, but the SQL path freezes authContextKeys from
queryPlus.authContextKeys() before inserting captured header values into
queryContext. Direct, HTTP, and prepared SQL statements pass those frozen keys
to the planner, so with a mapping such as X-Foo -> priority or lane, a SQL
client can still set that header and have it reach planning without
QUERY_CONTEXT WRITE authorization for the same key. Please add the captured
header target keys to the SQL auth context set before planner authorization,
mirroring QueryLifecycle.
Reviewed 11 of 32 changed files.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
