fix: fix inconsistent naming pattern#2945
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #2945 +/- ##
============================================
- Coverage 36.80% 31.96% -4.85%
- Complexity 338 500 +162
============================================
Files 805 816 +11
Lines 68587 69738 +1151
Branches 9029 9226 +197
============================================
- Hits 25241 22289 -2952
- Misses 40653 44972 +4319
+ Partials 2693 2477 -216 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR enhances security for Arthas debugging endpoints by restricting remote access and standardizing configuration naming patterns across the codebase.
Changes:
- Added localhost-only access restriction to the store node's arthasstart endpoint
- Standardized Arthas configuration property names from snake_case to camelCase (e.g.,
arthas.telnet_port→arthas.telnetPort) - Changed default Arthas IP binding from
0.0.0.0to127.0.0.1and expanded disabled commands to includejad,ognl,vmtool
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| hugegraph-store/hg-store-node/src/main/resources/application.yml | Added Arthas configuration with localhost-only IP binding and expanded disabled commands |
| hugegraph-store/hg-store-node/src/main/java/org/apache/hugegraph/store/node/controller/PartitionAPI.java | Added remote access check to arthasstart endpoint and new forbiddenMap helper method |
| hugegraph-store/hg-store-node/src/main/java/org/apache/hugegraph/store/node/AppConfig.java | Updated default values for Arthas IP and disabled commands |
| hugegraph-server/hugegraph-dist/src/assembly/static/conf/rest-server.properties | Renamed Arthas properties to camelCase and updated default values |
| hugegraph-server/hugegraph-api/src/main/java/org/apache/hugegraph/config/ServerOptions.java | Updated default values for Arthas IP binding and disabled commands |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Due to the lack of activity, the current pr is marked as stale and will be closed after 180 days, any update will remove the stale label |
VGalaxies
left a comment
There was a problem hiding this comment.
Review summary
- Blocking: yes
- Summary: A success path can now throw while constructing the response because nullable payloads are passed into
Map.of(). - Evidence:
- Static review of
git diff origin/master...HEADandPartitionAPI.ok(...).
- Static review of
imbajin
left a comment
There was a problem hiding this comment.
Blocking: yes. Summary: Two current-head issues remain: the new admin role guard does not protect /arthas in the default no-auth configuration, and the store distribution config does not expose the newly added Arthas settings. Evidence: static review of the PR diff at head 4f3bfab plus current source for AuthenticationFilter, GraphManager, HugeAuthenticator, and store assembly config.
| @Path("arthas") | ||
| @Singleton | ||
| @Tag(name = "ArthasAPI") | ||
| @RolesAllowed("admin") |
There was a problem hiding this comment.
Blocking: yes. Summary: This annotation does not protect PUT /arthas in the default no-auth configuration because anonymous requests are treated as admin. Please add an explicit localhost/no-auth guard here, or require authentication before calling ArthasAgent.attach(...). Evidence: GraphManager.requireAuthentication() returns false when no authenticator is configured; AuthenticationFilter.authenticate() then returns User.ANONYMOUS; HugeAuthenticator.User.ANONYMOUS is constructed with ROLE_ADMIN.
| level: | ||
| root: info | ||
|
|
||
| arthas: |
There was a problem hiding this comment.
Blocking: no. Summary: These node-resource Arthas defaults are not reflected in the store distribution config, so packaged users will not see or tune the new settings in conf/application.yml. Please add the same arthas section to hugegraph-store/hg-store-dist/src/assembly/static/conf/application.yml. Evidence: the store assembly includes ${assembly.static.dir}/conf, and start-hugegraph-store.sh loads ${CONF}/application.yml; the dist application.yml currently ends at the logging section without any arthas keys.
VGalaxies
left a comment
There was a problem hiding this comment.
Review summary
- Blocking: yes
- Summary: The localhost restriction remains proxy-bypassable; existing response and configuration compatibility concerns are already covered by current-head comments.
- Evidence:
- Static comparison via
git diff origin/master...HEAD,git show origin/master:<path>, and repository-widerg git diff --check origin/master...HEADpassed
- Static comparison via
| // NOTE: If behind a reverse proxy (e.g., Nginx), getRemoteAddr() returns the proxy's IP. | ||
| // Ensure the proxy is configured to block untrusted external access. | ||
| String remoteAddr = getCleanIp(request.getRemoteAddr()); | ||
| boolean isLocalRequest = |
There was a problem hiding this comment.
High: Local proxies bypass the localhost restriction
hugegraph-store/hg-store-node/src/main/java/org/apache/hugegraph/store/node/controller/PartitionAPI.java:200
Evidence
getRemoteAddr()identifies the immediate peer, so an external request forwarded by a same-host reverse proxy appears as127.0.0.1and reachesArthasAgent.attach()at line 213. No authentication interceptor or security configuration exists inhg-store-node.
Impact
- Remote callers can still trigger dynamic agent attachment in a common reverse-proxy deployment despite the endpoint claiming localhost-only access.
Requested fix
- Do not use peer IP as the sole authorization boundary; require authenticated administrative access or expose this endpoint through a separate listener explicitly bound to loopback.
Currently, the configuration keys in rest-server.properties use snake_case (e.g., server_port), which is inconsistent with the naming convention expected by ServerOptions.java. This mismatch causes the following issues:
Terminal logs show warnings such as: "arthas.xxxx is redundant ...", indicating that the properties are not being recognized or registered.


