Skip to content

[SECURITY] Remove public documentation of auth bypass in Knife4jConfig#5459

Merged
casionone merged 1 commit into
apache:masterfrom
aiceflower:fix-remove-bypass-docs-in-knife4jconfig
Jul 16, 2026
Merged

[SECURITY] Remove public documentation of auth bypass in Knife4jConfig#5459
casionone merged 1 commit into
apache:masterfrom
aiceflower:fix-remove-bypass-docs-in-knife4jconfig

Conversation

@aiceflower

Copy link
Copy Markdown
Member

Summary

The Knife4jConfig scaladoc comment explicitly instructed readers to set dataworkcloud_inner_request=true (plus a forged ticket value) in their browser cookies to access protected API docs. This constituted public documentation of the bypass mechanism.

Changes

  • Removed bypass instructions referencing dataworkcloud_inner_request=true cookie
  • Removed unsafe wds.linkis.test.mode=true suggestion
  • Added security notice explaining the cookie is reserved for internal forwarding and rejected from non-internal IPs

Affected files

  • linkis-commons/linkis-module/.../Knife4jConfig.scala (+7/-7, comment-only)

Deployment impact

None — documentation-only change.

🤖 Generated with Claude Code

… from Knife4jConfig

The Knife4jConfig scaladoc literally instructed readers to set
dataworkcloud_inner_request=true (plus a forged ticket value) in their
browser cookies to access protected API docs. This constituted public
documentation of the bypass mechanism.

This commit removes the bypass instructions and the unsafe
wds.linkis.test.mode suggestion. Replaces them with a safe
wds.linkis.server.user.restful.uri.pass.auth whitelist approach
and a security notice.

Reported-by: Strick Sheng, Liyi Zhou, Ziyue, Maurice, Chenchen
#AI COMMIT#

@casionone casionone left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@casionone
casionone merged commit 6ffa698 into apache:master Jul 16, 2026
4 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants