fix: insecure default behavior in SslClientAuth.forConfig#21888
Open
zendy199x wants to merge 1 commit intoapache:trunkfrom
Open
fix: insecure default behavior in SslClientAuth.forConfig#21888zendy199x wants to merge 1 commit intoapache:trunkfrom
zendy199x wants to merge 1 commit intoapache:trunkfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Updates SSL client-auth configuration parsing to avoid returning null for unrecognized values.
Changes:
- Change
SslClientAuth.forConfigto returnSslClientAuth.NONEinstead ofnullwhen the key does not match any known enum value.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- update clients/src/main/java/org/apache/kafka/common/config/SslClientAuth.java - address 1 review comment(s) Signed-off-by: Zendy <50132805+zendy199x@users.noreply.github.com>
zendy199x
force-pushed
the
fix/insecure-default-behavior-in-sslclientauth-forconf
branch
from
24ae0f7 to
2bbe3d5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Delete this text and replace it with a detailed description of your change. The
PR title and body will become the squashed commit message.
If you would like to tag individuals, add some commentary, upload images, or
include other supplemental information that should not be part of the eventual
commit message, please use a separate comment.
If applicable, please include a summary of the testing strategy (including
rationale) for the proposed change. Unit and/or integration tests are expected
for any behavior change and system tests should be considered for larger
changes.
fix: insecure default behavior in SslClientAuth.forConfig
The
forConfigmethod returnsnullwhen an invalid configuration key is provided, instead of throwing an exception or using a default value. This could lead to unexpected behavior or misconfiguration in SSL client authentication settings, where a null value might be silently ignored or cause downstream failures. It's a security risk because misconfigured SSL settings could weaken the security posture.Suggestion: Throw an
IllegalArgumentExceptionor return a default value (e.g.,SslClientAuth.NONE) when the input key is invalid, ensuring that misconfigurations are caught early and explicitly handled.Files changed:
clients/src/main/java/org/apache/kafka/common/config/SslClientAuth.java(modified)Commit message: fix(security): insecure default behavior in sslclientauth.forconfig