sonatype-lift[bot] commented on code in PR #868:
URL: https://github.com/apache/lucene/pull/868#discussion_r866182923
##########
lucene/analysis/kuromoji/src/java/org/apache/lucene/analysis/ja/dict/TokenInfoDictionary.java:
##########
@@ -82,6 +76,25 @@ public TokenInfoDictionary(Path targetMapFile, Path
posDictFile, Path dictFile,
() -> Files.newInputStream(fstFile));
}
+ /**
+ * Create a {@link TokenInfoDictionary} from an external resource URL (e.g.
from Classpath with
+ * {@link ClassLoader#getResource(String)}).
+ *
+ * @param targetMapUrl where to load target map resource
+ * @param posDictUrl where to load POS dictionary resource
+ * @param dictUrl where to load dictionary entries resource
+ * @param fstUrl where to load encoded FST data resource
+ * @throws IOException if resource was not found or broken
+ */
+ public TokenInfoDictionary(URL targetMapUrl, URL posDictUrl, URL dictUrl,
URL fstUrl)
+ throws IOException {
+ this(
+ () -> targetMapUrl.openStream(),
Review Comment:
*[URLCONNECTION_SSRF_FD](https://find-sec-bugs.github.io/bugs.htm#URLCONNECTION_SSRF_FD):*
This web server request could be used by an attacker to expose internal
services and filesystem.
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with
`help` or `ignore`)
---
Was this a good recommendation?
[ [🙁 Not
relevant](https://www.sonatype.com/lift-comment-rating?comment=204858193&lift_comment_rating=1)
] - [ [😕 Won't
fix](https://www.sonatype.com/lift-comment-rating?comment=204858193&lift_comment_rating=2)
] - [ [😑 Not critical, will
fix](https://www.sonatype.com/lift-comment-rating?comment=204858193&lift_comment_rating=3)
] - [ [🙂 Critical, will
fix](https://www.sonatype.com/lift-comment-rating?comment=204858193&lift_comment_rating=4)
] - [ [😊 Critical, fixing
now](https://www.sonatype.com/lift-comment-rating?comment=204858193&lift_comment_rating=5)
]
##########
lucene/analysis/kuromoji/src/java/org/apache/lucene/analysis/ja/dict/TokenInfoDictionary.java:
##########
@@ -82,6 +76,25 @@ public TokenInfoDictionary(Path targetMapFile, Path
posDictFile, Path dictFile,
() -> Files.newInputStream(fstFile));
}
+ /**
+ * Create a {@link TokenInfoDictionary} from an external resource URL (e.g.
from Classpath with
+ * {@link ClassLoader#getResource(String)}).
+ *
+ * @param targetMapUrl where to load target map resource
+ * @param posDictUrl where to load POS dictionary resource
+ * @param dictUrl where to load dictionary entries resource
+ * @param fstUrl where to load encoded FST data resource
+ * @throws IOException if resource was not found or broken
+ */
+ public TokenInfoDictionary(URL targetMapUrl, URL posDictUrl, URL dictUrl,
URL fstUrl)
+ throws IOException {
+ this(
+ () -> targetMapUrl.openStream(),
+ () -> posDictUrl.openStream(),
+ () -> dictUrl.openStream(),
+ () -> fstUrl.openStream());
Review Comment:
*[URLCONNECTION_SSRF_FD](https://find-sec-bugs.github.io/bugs.htm#URLCONNECTION_SSRF_FD):*
This web server request could be used by an attacker to expose internal
services and filesystem.
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with
`help` or `ignore`)
---
Was this a good recommendation?
[ [🙁 Not
relevant](https://www.sonatype.com/lift-comment-rating?comment=204858176&lift_comment_rating=1)
] - [ [😕 Won't
fix](https://www.sonatype.com/lift-comment-rating?comment=204858176&lift_comment_rating=2)
] - [ [😑 Not critical, will
fix](https://www.sonatype.com/lift-comment-rating?comment=204858176&lift_comment_rating=3)
] - [ [🙂 Critical, will
fix](https://www.sonatype.com/lift-comment-rating?comment=204858176&lift_comment_rating=4)
] - [ [😊 Critical, fixing
now](https://www.sonatype.com/lift-comment-rating?comment=204858176&lift_comment_rating=5)
]
##########
lucene/analysis/nori/src/java/org/apache/lucene/analysis/ko/dict/TokenInfoDictionary.java:
##########
@@ -89,6 +92,25 @@ public TokenInfoDictionary(Path targetMapFile, Path
posDictFile, Path dictFile,
() -> Files.newInputStream(fstFile));
}
+ /**
+ * Create a {@link TokenInfoDictionary} from an external resource URL (e.g.
from Classpath with
+ * {@link ClassLoader#getResource(String)}).
+ *
+ * @param targetMapUrl where to load target map resource
+ * @param posDictUrl where to load POS dictionary resource
+ * @param dictUrl where to load dictionary entries resource
+ * @param fstUrl where to load encoded FST data resource
+ * @throws IOException if resource was not found or broken
+ */
+ public TokenInfoDictionary(URL targetMapUrl, URL posDictUrl, URL dictUrl,
URL fstUrl)
+ throws IOException {
+ this(
+ () -> targetMapUrl.openStream(),
Review Comment:
*[URLCONNECTION_SSRF_FD](https://find-sec-bugs.github.io/bugs.htm#URLCONNECTION_SSRF_FD):*
This web server request could be used by an attacker to expose internal
services and filesystem.
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with
`help` or `ignore`)
---
Was this a good recommendation?
[ [🙁 Not
relevant](https://www.sonatype.com/lift-comment-rating?comment=204858202&lift_comment_rating=1)
] - [ [😕 Won't
fix](https://www.sonatype.com/lift-comment-rating?comment=204858202&lift_comment_rating=2)
] - [ [😑 Not critical, will
fix](https://www.sonatype.com/lift-comment-rating?comment=204858202&lift_comment_rating=3)
] - [ [🙂 Critical, will
fix](https://www.sonatype.com/lift-comment-rating?comment=204858202&lift_comment_rating=4)
] - [ [😊 Critical, fixing
now](https://www.sonatype.com/lift-comment-rating?comment=204858202&lift_comment_rating=5)
]
##########
lucene/analysis/nori/src/java/org/apache/lucene/analysis/ko/dict/TokenInfoDictionary.java:
##########
@@ -89,6 +92,25 @@ public TokenInfoDictionary(Path targetMapFile, Path
posDictFile, Path dictFile,
() -> Files.newInputStream(fstFile));
}
+ /**
+ * Create a {@link TokenInfoDictionary} from an external resource URL (e.g.
from Classpath with
+ * {@link ClassLoader#getResource(String)}).
+ *
+ * @param targetMapUrl where to load target map resource
+ * @param posDictUrl where to load POS dictionary resource
+ * @param dictUrl where to load dictionary entries resource
+ * @param fstUrl where to load encoded FST data resource
+ * @throws IOException if resource was not found or broken
+ */
+ public TokenInfoDictionary(URL targetMapUrl, URL posDictUrl, URL dictUrl,
URL fstUrl)
+ throws IOException {
+ this(
+ () -> targetMapUrl.openStream(),
+ () -> posDictUrl.openStream(),
+ () -> dictUrl.openStream(),
Review Comment:
*[URLCONNECTION_SSRF_FD](https://find-sec-bugs.github.io/bugs.htm#URLCONNECTION_SSRF_FD):*
This web server request could be used by an attacker to expose internal
services and filesystem.
(at-me [in a reply](https://help.sonatype.com/lift/talking-to-lift) with
`help` or `ignore`)
---
Was this a good recommendation?
[ [🙁 Not
relevant](https://www.sonatype.com/lift-comment-rating?comment=204858219&lift_comment_rating=1)
] - [ [😕 Won't
fix](https://www.sonatype.com/lift-comment-rating?comment=204858219&lift_comment_rating=2)
] - [ [😑 Not critical, will
fix](https://www.sonatype.com/lift-comment-rating?comment=204858219&lift_comment_rating=3)
] - [ [🙂 Critical, will
fix](https://www.sonatype.com/lift-comment-rating?comment=204858219&lift_comment_rating=4)
] - [ [😊 Critical, fixing
now](https://www.sonatype.com/lift-comment-rating?comment=204858219&lift_comment_rating=5)
]
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
