Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-15946

Eliminate possible security concerns in RS web UI's store file metrics

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.3.0, 1.2.1
    • 1.3.0, 1.2.2, 0.98.21, 2.0.0
    • None
    • None

    Description

      More from static code analysis: it warns about the invoking of a separate command ("hbase hfile -s -f ...") as a possible security issue in hbase-server/src/main/resources/hbase-webapps/regionserver/storeFile.jsp.

      It looks to me like one cannot inject arbitrary shell script or even arbitrary arguments: ProcessBuilder makes that fairly safe and only allows the user to specify the argument that comes after -f. However that does potentially allow them to have the daemon's user access files they shouldn't be able to touch, albeit only for reading.

      To more explicitly eliminate any threats here, we should add some validation that the file is at least within HBase's root directory and use the Java API directly instead of invoking a separate executable.

      Attachments

        1. HBASE-15946-v3.patch
          14 kB
          Sean Mackrory
        2. HBASE-15946-v2.patch
          14 kB
          Sean Mackrory
        3. HBASE-15946-v1.patch
          14 kB
          Sean Mackrory
        4. HBASE-15946-branch-1.3-mantonov.diff
          14 kB
          Mikhail Antonov

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            mackrorysd Sean Mackrory
            mackrorysd Sean Mackrory
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment