Allow request headers in HttpInputSource in native and MSQ Ingestion#16974
Merged
abhishekagarwal87 merged 12 commits intoapache:masterfrom Sep 12, 2024
Merged
Allow request headers in HttpInputSource in native and MSQ Ingestion#16974abhishekagarwal87 merged 12 commits intoapache:masterfrom
abhishekagarwal87 merged 12 commits intoapache:masterfrom
Conversation
Contributor
Author
|
Adding more tests and coverage. |
pranavbhole
changed the title
Contributor
|
Please also add a corresponding runtime property to whitelist what header keys are allowed. The default can be empty and thus no header is allowed. These free-form property maps can create security holes. |
Contributor
|
That runtime property should be added to |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @JsonProperty("httpAuthenticationUsername") @Nullable String httpAuthenticationUsername, | ||
| @JsonProperty("httpAuthenticationPassword") @Nullable PasswordProvider httpAuthenticationPasswordProvider, | ||
| @JsonProperty(SYSTEM_FIELDS_PROPERTY) @Nullable SystemFields systemFields, | ||
| @JsonProperty("additionalHeaders") @Nullable Map<String, String> headersMap, |
Contributor
There was a problem hiding this comment.
we should rename this to requestHeaders everywhere.
Contributor
abhishekagarwal87
left a comment
abhishekagarwal87
left a comment
There was a problem hiding this comment.
Minor comments. Looks good otherwise.
| throws IOException | ||
| { | ||
| final URLConnection urlConnection = object.toURL().openConnection(); | ||
| if (requestHeaders.size() > 0) { |
Contributor
There was a problem hiding this comment.
also need to check that requestHeaders is not null.
Contributor
There was a problem hiding this comment.
if not, then requestHeaders is not nullable.
| private final PasswordProvider httpAuthenticationPasswordProvider; | ||
| private final SystemFields systemFields; | ||
| private final HttpInputSourceConfig config; | ||
| private final Map<String, String> headersMap; |
Contributor
There was a problem hiding this comment.
Suggested change
| private final Map<String, String> headersMap; | |
| private final Map<String, String> requestHeaders; |
Comment on lines
+103
to
+113
| if (!config.getAllowedHeaders().isEmpty() && headersMap.size() > 0) { | ||
| Set<String> forbiddenHeaderSet = headersMap.keySet() | ||
| .stream() | ||
| .map(StringUtils::toLowerCase) | ||
| .filter(h -> !config.getAllowedHeaders().contains(h)) | ||
| .collect(Collectors.toSet()); | ||
| if (!forbiddenHeaderSet.isEmpty()) { | ||
| throw new IAE("Got forbidden headers %s, allowed headers are only %s ", | ||
| forbiddenHeaderSet, config.getAllowedHeaders()); | ||
| } | ||
| } |
Contributor
There was a problem hiding this comment.
this could be simplified to
for key in headersMap
if (!config.allowedHeaders.contains(key))
throw new IAE(" Header [%s] is not allowed to be set. Only headers are allowed are [%s]. You can allow the headers by changing property <insert property name> ",
key, config.getAllowedHeaders());
Contributor
There was a problem hiding this comment.
Also please use InvalidInput.exception.
Contributor
There was a problem hiding this comment.
can you add one test with non-empty headers map?
| inputStreamPartial = HttpEntity.openInputStream(url, "", null, 5); | ||
| inputStream = HttpEntity.openInputStream(url, "", null, 0, Collections.emptyMap()); | ||
| inputStreamPartial = HttpEntity.openInputStream(url, "", null, 5, Collections.emptyMap()); | ||
| inputStream.skip(5); |
Check notice
Code scanning / CodeQL
Ignored error status of call
| { | ||
| if (config.getAllowedHeaders().size() > 0) { | ||
| for (Map.Entry<String, String> entry : requestHeaders.entrySet()) { | ||
| if (!config.getAllowedHeaders().contains(StringUtils.toLowerCase(entry.getKey()))) { |
Contributor
There was a problem hiding this comment.
are the keys in allowedHeaders always lower case?
Contributor
Author
|
Yes, they are mapped as lowercase and stored in maps
…On Wed, Sep 11, 2024, 7:56 PM Abhishek Agarwal ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In
processing/src/main/java/org/apache/druid/data/input/impl/HttpInputSource.java
<#16974 (comment)>:
> @@ -100,6 +98,27 @@ public static void throwIfInvalidProtocols(HttpInputSourceConfig config, List<UR
}
}
+ public static void throwIfForbiddenHeaders(HttpInputSourceConfig config, Map<String, String> requestHeaders)
+ {
+ if (config.getAllowedHeaders().size() > 0) {
+ for (Map.Entry<String, String> entry : requestHeaders.entrySet()) {
+ if (!config.getAllowedHeaders().contains(StringUtils.toLowerCase(entry.getKey()))) {
are the keys in allowedHeaders always lower case?
—
Reply to this email directly, view it on GitHub
<#16974 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABFU6HWTHE5CVEUTEYTOB5LZWD7GTAVCNFSM6AAAAABNJEAG2WVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDEOJZGEYTSMZVGA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
abhishekagarwal87
approved these changes
Sep 12, 2024
abhishekagarwal87
changed the title
10 tasks
cecemei
pushed a commit
to cecemei/druid
that referenced
this pull request
Sep 12, 2024
…pache#16974) Support for adding the request headers in http input source. we can now pass the additional headers as json in both native and MSQ.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
PR for adding the request headers in http input source. we can now pass the additional headers as json in both native and MSQ.
Examples below.
Release note
This PR has: