rmuir commented on code in PR #11852:
URL: https://github.com/apache/lucene/pull/11852#discussion_r997309676
##########
lucene/luke/src/java/org/apache/lucene/luke/app/web/LukeWebMain.java:
##########
@@ -17,31 +17,78 @@
package org.apache.lucene.luke.app.web;
+import java.net.InetSocketAddress;
import java.util.concurrent.CountDownLatch;
+import java.util.HashMap;
+import java.util.Map;
import org.apache.lucene.luke.app.IndexHandler;
import org.apache.lucene.luke.util.LoggerFactory;
/** Entry class for web Luke */
-public class LukeWebMain {
+public final class LukeWebMain {
+
+ private LukeWebMain() {
+ }
static {
LoggerFactory.initGuiLogging();
}
public static void main(String[] args) throws Exception {
- String index = null;
- if (args.length == 2 && args[0].equals("--index")) {
- index = args[1];
- } else {
- System.err.println("usage: LukeWebMain --index <path-to-index>");
- Runtime.getRuntime().exit(1);
+ Map<String, Object> parsed = null;
+ try {
+ parsed = parseArgs(args);
+ } catch (Exception e) {
+ usage(e.getMessage());
}
-
IndexHandler indexHandler = IndexHandler.getInstance();
- indexHandler.open(index, "org.apache.lucene.store.FSDirectory", true,
true, false);
+ indexHandler.open(getIndex(parsed), "org.apache.lucene.store.FSDirectory",
true, true, false);
CountDownLatch tombstone = new CountDownLatch(1);
- HttpService httpService = new HttpService(indexHandler, tombstone);
+ HttpService httpService = new HttpService(getSockAddr(parsed),
indexHandler, tombstone);
httpService.start();
tombstone.await();
}
+
+ private static String getIndex(Map<String, Object> args) {
+ String index = (String) args.get("index");
+ if (index == null) {
+ usage("index arg is required");
+ }
+ return index;
+ }
+
+ private static InetSocketAddress getSockAddr(Map<String, Object> args) {
+ String host = (String) args.get("host");
+ int port = (Integer) args.getOrDefault("port", 8080);
+ if (host == null) {
+ return new InetSocketAddress(port);
Review Comment:
sorry maybe i'm unclear. i just dont think we should allow anything except
localhost. please, let's avoid security issues of the fact that such a thing
could read any file on the system (maybe /etc/passwd) and even leak shit about
non-indexes via exceptions. or that it wouldn't have any TLS at all leaving it
vulnerable to anything in-flight. or that it wouldn't have authentication, etc.
we could always "open it up" later if we want to do that, but I really think
there is value in not attaching ourselves to the network. again, if someone
wants, they can place reverse proxy in front of it that will handle all these
things better (TLS, auth, request filtering, rate-limiting, DDOS, ...)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
