-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(vulnerability): Address high vulnerabilities #10337
Conversation
Thanks for the contribution! We are going to be reviewing soon! Can you please update the branch? |
...ervlet/src/main/java/io/datahubproject/openapi/schema/registry/SchemaRegistryController.java
Show resolved
Hide resolved
...actories/src/main/java/com/linkedin/metadata/boot/steps/IngestDataPlatformInstancesStep.java
Show resolved
Hide resolved
WalkthroughOverall, these changes primarily focus on improving security, logging, and precision across various components. Notable modifications include enhancing encryption algorithms, adopting secure random number generation, improving logging clarity, and refining error handling. These updates ensure better data protection, more accurate logs, and more robust error reporting while maintaining the core functionality. Changes
Sequence Diagram(s)N/A Poem
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (invoked as PR comments)
Additionally, you can add CodeRabbit Configuration File (
|
Sure, have updated the branch. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 1
Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Files selected for processing (20)
- datahub-frontend/app/controllers/SsoCallbackController.java (1 hunks)
- datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/auth/RevokeAccessTokenResolver.java (1 hunks)
- datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/ingest/secret/DeleteSecretResolver.java (1 hunks)
- datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/ingest/secret/SecretUtils.java (2 hunks)
- datahub-web-react/src/app/entity/dataset/profile/schema/utils/translateFieldPathSegment.tsx (1 hunks)
- entity-registry/src/main/java/com/linkedin/metadata/models/extractor/FieldExtractor.java (1 hunks)
- metadata-ingestion/src/datahub/configuration/git.py (2 hunks)
- metadata-ingestion/src/datahub/ingestion/source/mode.py (1 hunks)
- metadata-io/src/main/java/com/linkedin/metadata/systemmetadata/ESSystemMetadataDAO.java (1 hunks)
- metadata-operation-context/src/main/java/io/datahubproject/metadata/services/SecretService.java (2 hunks)
- metadata-service/auth-filter/src/main/java/com/datahub/auth/authentication/filter/AuthenticationFilter.java (1 hunks)
- metadata-service/auth-servlet-impl/src/main/java/com/datahub/auth/authentication/AuthServiceController.java (6 hunks)
- metadata-service/factories/src/main/java/com/linkedin/metadata/boot/steps/IngestDataPlatformInstancesStep.java (1 hunks)
- metadata-service/graphql-servlet-impl/src/main/java/com/datahub/graphql/GraphQLController.java (1 hunks)
- metadata-service/schema-registry-servlet/src/main/java/io/datahubproject/openapi/schema/registry/SchemaRegistryController.java (1 hunks)
- metadata-service/services/src/main/java/com/linkedin/metadata/service/RollbackService.java (1 hunks)
- smoke-test/tests/cypress/cypress/e2e/mutations/dataset_ownership.js (1 hunks)
- smoke-test/tests/cypress/cypress/e2e/mutations/ingestion_source.js (1 hunks)
- smoke-test/tests/cypress/cypress/e2e/mutations/managing_secrets.js (1 hunks)
- smoke-test/tests/cypress/cypress/e2e/settings/managing_groups.js (1 hunks)
Files skipped from review due to trivial changes (3)
- datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/auth/RevokeAccessTokenResolver.java
- datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/ingest/secret/SecretUtils.java
- metadata-io/src/main/java/com/linkedin/metadata/systemmetadata/ESSystemMetadataDAO.java
Additional comments not posted (25)
datahub-graphql-core/src/main/java/com/linkedin/datahub/graphql/resolvers/ingest/secret/DeleteSecretResolver.java (3)
26-26
: Ensure consistency with variable renaming.The variable
inputUrn
is more descriptive thansecretUrn
, which improves code readability. Verify that this change is consistently applied throughout the codebase to avoid any potential errors.
32-32
: Return the renamed variable.Ensure that the renamed variable
inputUrn
is correctly returned.
35-35
: Update error message with renamed variable.Ensure that the error message correctly references the renamed variable
inputUrn
.datahub-web-react/src/app/entity/dataset/profile/schema/utils/translateFieldPathSegment.tsx (1)
31-31
: Regex usage for extracting typeName is appropriate.The use of regex to extract
typeName
fromfieldPathSegment
is a robust solution that ensures correct extraction even if the format changes.smoke-test/tests/cypress/cypress/e2e/mutations/ingestion_source.js (1)
1-1
: Enhanced security withcrypto.getRandomValues()
.Using
crypto.getRandomValues()
instead ofMath.random()
for generating random values enhances security by utilizing a cryptographically secure method.smoke-test/tests/cypress/cypress/e2e/mutations/dataset_ownership.js (1)
1-1
: Enhanced security withcrypto.getRandomValues()
.Using
crypto.getRandomValues()
instead ofMath.random()
for generating random values enhances security by utilizing a cryptographically secure method.metadata-service/factories/src/main/java/com/linkedin/metadata/boot/steps/IngestDataPlatformInstancesStep.java (1)
64-64
: Change the type ofstart
tolong
to avoid potential issues.Casting
numEntities
to anint
within the while loop condition may lead to issues ifnumEntities
exceeds the range of anint
. Consider changing the type ofstart
tolong
and fixing all relevant issues.- int start = 0; + long start = 0;Likely invalid or redundant comment.
metadata-operation-context/src/main/java/io/datahubproject/metadata/services/SecretService.java (2)
53-53
: Review the security and compatibility implications of changing the cipher instance.Changing the cipher instance from
"AES/ECB/PKCS5Padding"
to"AES"
may affect security and compatibility. Ensure that this change does not introduce vulnerabilities or compatibility issues.
75-75
: Review the security and compatibility implications of changing the cipher instance.Changing the cipher instance from
"AES/ECB/PKCS5Padding"
to"AES"
may affect security and compatibility. Ensure that this change does not introduce vulnerabilities or compatibility issues.smoke-test/tests/cypress/cypress/e2e/mutations/managing_secrets.js (1)
1-1
: Good job enhancing security by usingcrypto.getRandomValues()
instead ofMath.random()
.This change improves the security of random test ID generation.
smoke-test/tests/cypress/cypress/e2e/settings/managing_groups.js (1)
1-1
: Security Enhancement Approved.Switching from
Math.random()
tocrypto.getRandomValues()
for generating random IDs improves security.datahub-frontend/app/controllers/SsoCallbackController.java (1)
69-70
: Logging Enhancement Approved.Adding a log statement to provide information about the SSO callback protocol is a useful enhancement.
metadata-ingestion/src/datahub/configuration/git.py (2)
3-3
: URL Parsing Enhancement Approved.Adding
urlparse
to parse and validate the repository URL enhances security and robustness.
43-48
: Validation Enhancement Approved.Validating the repository host against a list of allowed hosts improves security.
metadata-service/graphql-servlet-impl/src/main/java/com/datahub/graphql/GraphQLController.java (1)
78-78
: Logging Enhancement Approved.Refining the error logging to include the exception when JSON parsing fails is a useful enhancement.
metadata-service/services/src/main/java/com/linkedin/metadata/service/RollbackService.java (1)
176-176
: Ensure the conversion to int is necessary and safe.The conversion of
getNumDocsDeleted()
to anint
might be necessary due to downstream requirements, but ensure that the original value is within the range ofint
to avoid potential overflow issues.metadata-service/auth-filter/src/main/java/com/datahub/auth/authentication/filter/AuthenticationFilter.java (1)
95-95
: LGTM! Ensure consistent error handling.The change to send a generic error message for unauthorized actions is appropriate. Ensure that similar error handling is applied consistently across the codebase.
metadata-service/schema-registry-servlet/src/main/java/io/datahubproject/openapi/schema/registry/SchemaRegistryController.java (1)
310-314
: LGTM! Validate topic names to avoid log injection.The changes to validate topic names and log errors accordingly are appropriate. This helps avoid log injection vulnerabilities.
metadata-service/auth-servlet-impl/src/main/java/com/datahub/auth/authentication/AuthServiceController.java (6)
126-126
: LGTM! Proper error logging when parsing JSON.The change to log an error when parsing JSON while attempting to generate a session token is appropriate.
196-196
: LGTM! Proper error logging when parsing JSON.The change to log an error when parsing JSON while attempting to create a native user is appropriate.
241-241
: LGTM! Proper error logging for invalid invite token.The change to log an error when an invalid invite token is detected is appropriate.
285-285
: LGTM! Proper error logging when parsing JSON.The change to log an error when parsing JSON while attempting to reset native user credentials is appropriate.
343-343
: LGTM! Proper error logging when parsing JSON.The change to log an error when parsing JSON while attempting to verify native user password is appropriate.
389-389
: LGTM! Proper error logging when parsing JSON.The change to log an error when parsing JSON while attempting to track analytics event is appropriate.
metadata-ingestion/src/datahub/ingestion/source/mode.py (1)
Line range hint
744-749
:
Verify the correctness of the regex pattern and its usage.The regular expression pattern
@[a-zA-Z]+
is used to match definition names. Ensure that this pattern correctly matches all intended cases.
entity-registry/src/main/java/com/linkedin/metadata/models/extractor/FieldExtractor.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actionable comments posted: 0
Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Files selected for processing (1)
- entity-registry/src/main/java/com/linkedin/metadata/models/extractor/FieldExtractor.java (1 hunks)
Files skipped from review as they are similar to previous changes (1)
- entity-registry/src/main/java/com/linkedin/metadata/models/extractor/FieldExtractor.java
Checklist
Summary by CodeRabbit
Bug Fixes
Math.random()
withcrypto.getRandomValues()
in various Cypress test files.Improvements