Comments (2)
🤖
Hello @SunnyBoy-WYH!
I'm Dosu, a friendly bot here to assist you with your issues while we wait for a human maintainer. Whether it's solving bugs, answering your questions, or helping you become a contributor, I'm here to help! Let's work together to get your issue resolved.
Based on the information you've provided, it seems like the ThreadLocal variable CONTEXTS
is used to store context information for each thread. This context information includes user data, which is set before a task is executed and is supposed to be reset after the task is done.
The potential security issue you've mentioned could arise if the resetContext()
method is not called after a request is finished. In a multi-threaded environment like a web server, threads are often reused across different requests. If a ThreadLocal variable is not properly cleaned up after serving a request, the data stored in the variable might be exposed to and misused by other requests processed by the same thread later. This could lead to data leakage or incorrect behavior.
Here is the relevant code:
private static final ThreadLocal<String> CONTEXTS = new ThreadLocal<>();
protected static void setContext(String context) {
CONTEXTS.set(context);
}
protected static void resetContext() {
CONTEXTS.remove();
}
public static String getContext() {
return CONTEXTS.get();
}
public static class ContextCallable<V> implements Callable<V> {
private final Callable<V> callable;
private final String context;
public ContextCallable(Callable<V> callable) {
E.checkNotNull(callable, "callable");
this.context = getContext();
this.callable = callable;
}
@Override
public V call() throws Exception {
setContext(this.context);
try {
return this.callable.call();
} finally {
resetContext();
}
}
}
In the call()
method of ContextCallable
, the context is set at the beginning of the method and reset at the end. This ensures that the context is properly cleaned up after the method is finished, preventing the potential security issue.
As for the TODO comment related to ThreadLocal, without the specific comment or the relevant code, it's hard to provide any specific information or context about it. If you could provide the exact comment or the relevant code, I might be able to give a more precise answer.
For more information, you can refer to the following sources:
- hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java
- hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/task/TaskManager.java
- hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java
I hope this helps! If you have any more questions or need further clarification, feel free to ask.
-Dosu
Sources
- hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeGraphAuthProxy.java
- hugegraph-server/hugegraph-core/src/main/java/org/apache/hugegraph/task/TaskManager.java
- hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/auth/HugeAuthenticator.java
This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.
Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant.
If you want to continue the conversation, start your reply with @dosu-bot.
from incubator-hugegraph.
@SunnyBoy-WYH maybe we should unset in a rest filter, like LoadReleaseFilter
from incubator-hugegraph.
Related Issues (20)
- [Bug] start server failed but still port in use HOT 1
- [Summary] Enhance code style warnings in server HOT 8
- [Question] 通过官方tinkpop的gremlin-go客户端连接GremlinServer,序列化问题如何解决 HOT 3
- [Bug] 换hugegraph-core-1.0.0.jar后,服务正常启动,但访问报“Please wait for the server to initialize” HOT 2
- [Bug(pd-store)] hstore backend api tests failure HOT 5
- [Question] When executing OLTP with a large amount of data, if the vertex ID type is String, an OOM exception will occur HOT 5
- [Bug] server slow log, support loader import & client IP HOT 1
- [Question] oltp时,客户端多线程查询时,报“Interrupted, maybe it is timed out” HOT 2
- [Bug] MissingMethodException in SchemaManager.removeIndexLabel() HOT 5
- [Bug] ./bin/gremlin-console.sh -- -i scripts/example.groovy 时一直报错 HOT 5
- [Question] Docker 1.2.0 server 内置 rocksdb 磁盘满了之后未自动清理 HOT 6
- [Summary] integrate new module PD into hugegraph HOT 1
- [Summary] integrate new module Store into hugegraph
- [Summary] integrate new backend Hstore into hugegraph
- hugegraph服务挂了 HOT 6
- [Feature] Migrate the hg-style.xml to.editorconfig HOT 1
- 并发查询时 /gremlin接口返回的结果与预期不符合 HOT 2
- 并发查询时 /gremlin接口返回的结果与预期不符合 HOT 1
- [Question] call rest-api in multi-users env (concurrency) HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from incubator-hugegraph.