Do not use external input in format strings (#9665)

https://lgtm.com/rules/7900080/
2020-04-10 10:46:04 -07:00 · 2020-04-10 10:46:04 -07:00 · 22d3eed80c
parent bd1cff24a2
commit 22d3eed80c
3 changed files with 10 additions and 11 deletions
--- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/DefaultBasicAuthenticatorResourceHandler.java
+++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/DefaultBasicAuthenticatorResourceHandler.java
@ -37,6 +37,7 @@ public class DefaultBasicAuthenticatorResourceHandler implements BasicAuthentica
 {
  private static final Logger log = new Logger(DefaultBasicAuthenticatorResourceHandler.class);
  private static final Response NOT_FOUND_RESPONSE = Response.status(Response.Status.NOT_FOUND).build();
+  private static final String UNKNOWN_AUTHENTICATOR_MSG_FORMAT = "Received user update for unknown authenticator[%s]";

  private final BasicAuthenticatorCacheManager cacheManager;
  private final Map<String, BasicHTTPAuthenticator> authenticatorMap;
@ -113,12 +114,11 @@ public class DefaultBasicAuthenticatorResourceHandler implements BasicAuthentica
  {
    final BasicHTTPAuthenticator authenticator = authenticatorMap.get(authenticatorName);
    if (authenticator == null) {
-      String errMsg = StringUtils.format("Received user update for unknown authenticator[%s]", authenticatorName);
-      log.error(errMsg);
+      log.error(UNKNOWN_AUTHENTICATOR_MSG_FORMAT, authenticatorName);
      return Response.status(Response.Status.BAD_REQUEST)
                     .entity(ImmutableMap.<String, Object>of(
                         "error",
-                         StringUtils.format(errMsg)
+                         StringUtils.format(UNKNOWN_AUTHENTICATOR_MSG_FORMAT, authenticatorName)
                     ))
                     .build();
    }
--- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/DefaultBasicAuthorizerResourceHandler.java
+++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/DefaultBasicAuthorizerResourceHandler.java
@ -39,6 +39,7 @@ public class DefaultBasicAuthorizerResourceHandler implements BasicAuthorizerRes
 {
  private static final Logger log = new Logger(DefaultBasicAuthorizerResourceHandler.class);
  private static final Response NOT_FOUND_RESPONSE = Response.status(Response.Status.NOT_FOUND).build();
+  private static final String UNKNOWN_AUTHORIZER_MSG_FORMAT = "Received update for unknown authorizer[%s]";

  private final BasicAuthorizerCacheManager cacheManager;
  private final Map<String, BasicRoleBasedAuthorizer> authorizerMap;
@ -196,12 +197,11 @@ public class DefaultBasicAuthorizerResourceHandler implements BasicAuthorizerRes
  {
    final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName);
    if (authorizer == null) {
-      String errMsg = StringUtils.format("Received update for unknown authorizer[%s]", authorizerName);
-      log.error(errMsg);
+      log.error(UNKNOWN_AUTHORIZER_MSG_FORMAT, authorizerName);
      return Response.status(Response.Status.BAD_REQUEST)
                     .entity(ImmutableMap.<String, Object>of(
                         "error",
-                         StringUtils.format(errMsg)
+                         StringUtils.format(UNKNOWN_AUTHORIZER_MSG_FORMAT, authorizerName)
                     ))
                     .build();
    }
@ -215,12 +215,11 @@ public class DefaultBasicAuthorizerResourceHandler implements BasicAuthorizerRes
  {
    final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName);
    if (authorizer == null) {
-      String errMsg = StringUtils.format("Received update for unknown authorizer[%s]", authorizerName);
-      log.error(errMsg);
+      log.error(UNKNOWN_AUTHORIZER_MSG_FORMAT, authorizerName);
      return Response.status(Response.Status.BAD_REQUEST)
                     .entity(ImmutableMap.<String, Object>of(
                         "error",
-                         StringUtils.format(errMsg)
+                         StringUtils.format(UNKNOWN_AUTHORIZER_MSG_FORMAT, authorizerName)
                     ))
                     .build();
    }
--- a/server/src/main/java/org/apache/druid/metadata/SQLMetadataRuleManager.java
+++ b/server/src/main/java/org/apache/druid/metadata/SQLMetadataRuleManager.java
@ -408,7 +408,7 @@ public class SQLMetadataRuleManager implements MetadataRuleManager
        );
      }
      catch (Exception e) {
-        log.error(e, StringUtils.format("Exception while overriding rule for %s", dataSource));
+        log.error(e, "Exception while overriding rule for %s", dataSource);
        return false;
      }
    }
@ -416,7 +416,7 @@ public class SQLMetadataRuleManager implements MetadataRuleManager
      poll();
    }
    catch (Exception e) {
-      log.error(e, StringUtils.format("Exception while polling for rules after overriding the rule for %s", dataSource));
+      log.error(e, "Exception while polling for rules after overriding the rule for %s", dataSource);
    }
    return true;
  }