[GitHub] [lucene-solr] muse-dev[bot] commented on a change in pull request #1972: SOLR-14915: Prometheus-exporter does not depend on Solr-core any longer

Fri, 20 Nov 2020 11:28:14 -0800 


muse-dev[bot] commented on a change in pull request #1972:
URL: https://github.com/apache/lucene-solr/pull/1972#discussion_r527924929



##########
File path: 
solr/contrib/prometheus-exporter/src/java/org/apache/solr/prometheus/exporter/MetricsConfiguration.java
##########
@@ -66,13 +81,36 @@ public PrometheusExporterSettings getSettings() {
     return searchConfiguration;
   }
 
-  public static MetricsConfiguration from(XmlConfigFile config) throws 
Exception {
-    Node settings = config.getNode("/config/settings", false);
+  public static MetricsConfiguration from(String path) throws Exception {
+    // See solr-core XmlConfigFile
+    final DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
+    try {
+      dbf.setXIncludeAware(true);
+      dbf.setNamespaceAware(true);
+    } catch (UnsupportedOperationException e) {
+      log.warn("{} XML parser doesn't support XInclude option", path);
+    }
+
+    Document document;
+    File file = new File(path);

Review comment:
       *PATH_TRAVERSAL_IN:*  This API 
(java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be 
specified by user input 
[(details)](https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN)

##########
File path: 
solr/contrib/prometheus-exporter/src/java/org/apache/solr/prometheus/exporter/SolrExporter.java
##########
@@ -214,12 +212,11 @@ public static void main(String[] args) {
     }
   }
 
-  private static MetricsConfiguration loadMetricsConfiguration(Path 
configPath) {
-    try (SolrResourceLoader loader = new 
SolrResourceLoader(configPath.getParent())) {
-      XmlConfigFile config = new XmlConfigFile(loader, 
configPath.getFileName().toString(), null, null);
-      return MetricsConfiguration.from(config);
+  private static MetricsConfiguration loadMetricsConfiguration(String 
configPath) {
+    try {
+      return MetricsConfiguration.from(configPath);

Review comment:
       *PATH_TRAVERSAL_IN:*  This API 
(java/io/File.<init>(Ljava/lang/String;)V) reads a file whose location might be 
specified by user input 
[(details)](https://find-sec-bugs.github.io/bugs.htm#PATH_TRAVERSAL_IN)




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to