From 2e644ce2ece66d14ceb4fe73b6dcfad0b2d1b297 Mon Sep 17 00:00:00 2001 From: Akanksha Kedia Date: Mon, 11 May 2026 10:59:17 +0530 Subject: [PATCH 1/2] Fix NPE in StaticTokenAuthProvider and UrlAuthProvider when required config property is missing Both constructors that accept an AuthConfig called .toString() directly on the result of authConfig.getProperties().get(...) without a null check. If the required property (token or url) is absent from the config, this throws a NullPointerException with no useful context. Replace the implicit null deref with an explicit null check that throws an IllegalArgumentException naming the missing property, giving operators a clear error message. --- .../apache/pinot/common/auth/StaticTokenAuthProvider.java | 6 +++++- .../java/org/apache/pinot/common/auth/UrlAuthProvider.java | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/pinot-common/src/main/java/org/apache/pinot/common/auth/StaticTokenAuthProvider.java b/pinot-common/src/main/java/org/apache/pinot/common/auth/StaticTokenAuthProvider.java index 2f4b0f1845b2..a01f61dd7937 100644 --- a/pinot-common/src/main/java/org/apache/pinot/common/auth/StaticTokenAuthProvider.java +++ b/pinot-common/src/main/java/org/apache/pinot/common/auth/StaticTokenAuthProvider.java @@ -43,7 +43,11 @@ public StaticTokenAuthProvider(String token) { public StaticTokenAuthProvider(AuthConfig authConfig) { String header = AuthProviderUtils.getOrDefault(authConfig, HEADER, HttpHeaders.AUTHORIZATION); String prefix = AuthProviderUtils.getOrDefault(authConfig, PREFIX, "Basic"); - String userToken = authConfig.getProperties().get(TOKEN).toString(); + Object tokenValue = authConfig.getProperties().get(TOKEN); + if (tokenValue == null) { + throw new IllegalArgumentException("Missing required auth config property: " + TOKEN); + } + String userToken = tokenValue.toString(); _taskToken = makeToken(prefix, userToken); _requestHeaders = Collections.singletonMap(header, _taskToken); diff --git a/pinot-common/src/main/java/org/apache/pinot/common/auth/UrlAuthProvider.java b/pinot-common/src/main/java/org/apache/pinot/common/auth/UrlAuthProvider.java index 721a7435526f..654e2f756580 100644 --- a/pinot-common/src/main/java/org/apache/pinot/common/auth/UrlAuthProvider.java +++ b/pinot-common/src/main/java/org/apache/pinot/common/auth/UrlAuthProvider.java @@ -57,7 +57,11 @@ public UrlAuthProvider(AuthConfig authConfig) { try { _header = AuthProviderUtils.getOrDefault(authConfig, HEADER, HttpHeaders.AUTHORIZATION); _prefix = AuthProviderUtils.getOrDefault(authConfig, PREFIX, "Bearer"); - _url = new URL(authConfig.getProperties().get(URL).toString()); + Object urlValue = authConfig.getProperties().get(URL); + if (urlValue == null) { + throw new IllegalArgumentException("Missing required auth config property: " + URL); + } + _url = new URL(urlValue.toString()); } catch (MalformedURLException e) { throw new IllegalArgumentException(e); } From 425509f44f86c77f690b1ca4801de20dab483622 Mon Sep 17 00:00:00 2001 From: Akanksha Kedia Date: Tue, 12 May 2026 09:43:07 +0530 Subject: [PATCH 2/2] nit: move urlValue null check outside the try block in UrlAuthProvider --- .../apache/pinot/common/auth/UrlAuthProvider.java | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pinot-common/src/main/java/org/apache/pinot/common/auth/UrlAuthProvider.java b/pinot-common/src/main/java/org/apache/pinot/common/auth/UrlAuthProvider.java index 654e2f756580..ee329a9e7693 100644 --- a/pinot-common/src/main/java/org/apache/pinot/common/auth/UrlAuthProvider.java +++ b/pinot-common/src/main/java/org/apache/pinot/common/auth/UrlAuthProvider.java @@ -54,13 +54,13 @@ public UrlAuthProvider(String url) { } public UrlAuthProvider(AuthConfig authConfig) { + _header = AuthProviderUtils.getOrDefault(authConfig, HEADER, HttpHeaders.AUTHORIZATION); + _prefix = AuthProviderUtils.getOrDefault(authConfig, PREFIX, "Bearer"); + Object urlValue = authConfig.getProperties().get(URL); + if (urlValue == null) { + throw new IllegalArgumentException("Missing required auth config property: " + URL); + } try { - _header = AuthProviderUtils.getOrDefault(authConfig, HEADER, HttpHeaders.AUTHORIZATION); - _prefix = AuthProviderUtils.getOrDefault(authConfig, PREFIX, "Bearer"); - Object urlValue = authConfig.getProperties().get(URL); - if (urlValue == null) { - throw new IllegalArgumentException("Missing required auth config property: " + URL); - } _url = new URL(urlValue.toString()); } catch (MalformedURLException e) { throw new IllegalArgumentException(e);