-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add geojson support for XYPoint #162
Conversation
Description has to be changed to xy_point not geo_point :) |
Copy&Paste error. Thanks! |
throws IOException { | ||
try (XContentSubParser subParser = new XContentSubParser(parser)) { | ||
if (subParser.nextToken() != XContentParser.Token.FIELD_NAME) { | ||
throw new OpenSearchParseException(ERR_MSG_INVALID_TOKEN, subParser.currentToken()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it's not safe to return user input as part of the output, learned from the last pentest. I suggest minimize error message to just "token not allowed" and add logger with all required details.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you share what security risk this might contain?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure, in my report they have call it "User Input Reflected on Error" and marked it as "Medium" severity
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @martin-gaievski . subParser.currentToken() is not random user input. It is enum defined in XContentParser.Token. So, I think there is no security risk returning it.
|
||
private static XYPoint parseGeoPointObjectBasicFields(final XContentParser parser, final XYPoint point) throws IOException { | ||
HashMap<String, Double> data = new HashMap<>(); | ||
for (int i = 0; i < 2; i++) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
better introduce/use constant IMO
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This number is specific to this method. Let me use variable instead to make its meaning to be explicit.
if (parser.currentToken() == XContentParser.Token.START_ARRAY) { | ||
return parseXYPointArray(parser, ignoreZValue, x, y); | ||
String field = parser.currentName(); | ||
if (X_PARAMETER.equals(field) == false && Y_PARAMETER.equals(field) == false) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume syntax with "==" is for better readability, correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. OpenSearch's standard convention is avoiding negation like !X_PARAMETER.equals(field)
try { | ||
data.put(field, parser.doubleValue(true)); | ||
} catch (NumberFormatException e) { | ||
throw new OpenSearchParseException("[{}] and [{}] must be valid double values", e, X_PARAMETER, Y_PARAMETER); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Wouldn't it be consistent to create anew constant for error message here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The message is used only in this method. I don't think it is worth to make is as a constant?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm leaving it up to you, but I would make it a constant anyway. From my experience it helps to avoid creating multiple identical messages with slightly different wording. If all messages are in one place chance is higher that next person will reuse one from the list.
src/main/java/org/opensearch/geospatial/index/mapper/xypoint/XYPointParser.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/geospatial/index/mapper/xypoint/XYPointParser.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/geospatial/index/mapper/xypoint/XYPointParser.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/geospatial/index/mapper/xypoint/XYPointParser.java
Outdated
Show resolved
Hide resolved
src/main/java/org/opensearch/geospatial/index/mapper/xypoint/XYPointParser.java
Show resolved
Hide resolved
src/main/java/org/opensearch/geospatial/index/mapper/xypoint/XYPointParser.java
Show resolved
Hide resolved
src/main/java/org/opensearch/geospatial/index/mapper/xypoint/XYPointParser.java
Outdated
Show resolved
Hide resolved
Signed-off-by: Heemin Kim <heemin@amazon.com>
Signed-off-by: Heemin Kim <heemin@amazon.com>
b46c3b6
to
a724add
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor comment.
src/main/java/org/opensearch/geospatial/index/mapper/xypoint/XYPointParser.java
Outdated
Show resolved
Hide resolved
5b92ffd
to
b86c3c0
Compare
Signed-off-by: Heemin Kim <heemin@amazon.com>
The backport to
To backport manually, run these commands in your terminal: # Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-162-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 63c97b083f137a035563710c67c57fc23b9493f4
# Push it to GitHub
git push --set-upstream origin backport/backport-162-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x Then, create a pull request where the |
* Add geojson support for XYPoint Signed-off-by: Heemin Kim <heemin@amazon.com> (cherry picked from commit 63c97b0)
See #152
Signed-off-by: Heemin Kim heemin@amazon.com
Description
Supports GeoJson Point type in XYPoint field
Issues Resolved
#152
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.