Skip to content

[branch-4.1][fix](security) Add auth and config gate for _stream_load_forward endpoint#65377

Open
liaoxin01 wants to merge 1 commit into
apache:branch-4.1from
liaoxin01:codex/pick-64935-to-branch-4.1
Open

[branch-4.1][fix](security) Add auth and config gate for _stream_load_forward endpoint#65377
liaoxin01 wants to merge 1 commit into
apache:branch-4.1from
liaoxin01:codex/pick-64935-to-branch-4.1

Conversation

@liaoxin01

Copy link
Copy Markdown
Contributor

Pick #64935

…point (apache#64935)

- **SSRF fix**: `_stream_load_forward` BE endpoint was registered
unconditionally without authentication, allowing unauthenticated SSRF
attacks
- Add BE config `enable_group_commit_streamload_be_forward` (default
`false`) to gate endpoint registration, matching the existing FE config
name
Copilot AI review requested due to automatic review settings July 8, 2026 10:05
@liaoxin01 liaoxin01 requested a review from yiguolei as a code owner July 8, 2026 10:05
@hello-stephen

Copy link
Copy Markdown
Contributor

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR backports a security fix to the BE _stream_load_forward endpoint by adding an explicit BE-side config gate and wiring the endpoint into the existing HTTP auth framework, aligning it with cloud group-commit forwarding behavior.

Changes:

  • Gate /api/{db}/{table}/_stream_load_forward behind enable_group_commit_streamload_be_forward (default false) in BE.
  • Require HTTP auth for the forward handler by converting it to HttpHandlerWithAuth and passing ExecEnv from HttpService.
  • Update the regression test cluster config to enable the feature flag on both FE and BE.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
regression-test/suites/load_p0/stream_load/test_group_commit_redirect.groovy Enables the new BE config gate in the regression test cluster setup.
be/src/service/http/action/stream_load_forward_handler.h Switches the handler base class to HttpHandlerWithAuth and adds an ExecEnv* constructor.
be/src/service/http/action/stream_load_forward_handler.cpp Adds the runtime config gate and calls the auth hook in on_header.
be/src/service/http_service.cpp Constructs the forward handler with _env (required for auth).
be/src/common/config.h Declares the new BE config enable_group_commit_streamload_be_forward.
be/src/common/config.cpp Defines the new BE config with default false.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread be/src/service/http/action/stream_load_forward_handler.cpp
Comment thread be/src/service/http/action/stream_load_forward_handler.h
@liaoxin01

Copy link
Copy Markdown
Contributor Author

run buildall

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants