MINOR: Clarify components not considered for security issues#22048
Merged
mimaison merged 1 commit intoapache:trunkfrom Apr 14, 2026
Merged
MINOR: Clarify components not considered for security issues#22048mimaison merged 1 commit intoapache:trunkfrom
mimaison merged 1 commit intoapache:trunkfrom
Conversation
jlprat
approved these changes
Apr 14, 2026
Contributor
jlprat
left a comment
jlprat
left a comment
There was a problem hiding this comment.
Thanks, LGTM I just have a tiny nitpick but feel free to merge anyway
| * | ||
| * <p><b>NOTE: This implementation is NOT intended to be used in production since the credentials are stored in PLAINTEXT in the | ||
| * properties file.</b> | ||
| * properties file. For this reason, Apache Kafka project does not consider this a security issue.</b> |
Contributor
There was a problem hiding this comment.
Nitpick, you can close the p tag started 2 lines up. I know this was already broken but semantically it makes it better
Member
Author
There was a problem hiding this comment.
I think the javadoc spec allows to omit the closing tags for a few elements including p
Contributor
There was a problem hiding this comment.
It will work absolutely, it's just a nit from my times writing HTML code
jlprat
reviewed
Apr 14, 2026
| /** | ||
| * Security note: While it seems it possible to build a deserialization gadget to obtain RCE via | ||
| * FileOffsetBackingStore, it requires having write permissions on the filesystem of the Connect worker. | ||
| * For that reason the Apache Kafka project does not consider this a security issue. |
Contributor
There was a problem hiding this comment.
Similarly, if you want the break lines shown in javadoc you can either add p elements or br ones
nileshkumar3
pushed a commit
to nileshkumar3/kafka
that referenced
this pull request
Apr 15, 2026
…22048) The Apache Kafka project regularly receives, and rejects, security reports for these components. Add notes explaining why the project don't consider these as security issues. This will hopefully reduce the number of duplicate reports we receive or at least give us something we can point reporters to. Reviewers: Luke Chen <showuon@gmail.com>, Josep Prat <josep.prat@aiven.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The Apache Kafka project regularly receives, and rejects, security
reports for these components. Add notes explaining why the project don't
consider these as security issues. This will hopefully reduce the number
of duplicate reports we receive or at least give us something we can
point reporters to.
Reviewers: Luke Chen showuon@gmail.com, Josep Prat
josep.prat@aiven.io