[HBASE-15946] Eliminate possible security concerns in RS web UI's store file metrics - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.3.0, 1.2.1
Fix Version/s: 1.3.0, 1.2.2, 0.98.21, 2.0.0
Component/s: None
Labels:
None

Description

More from static code analysis: it warns about the invoking of a separate command ("hbase hfile -s -f ...") as a possible security issue in hbase-server/src/main/resources/hbase-webapps/regionserver/storeFile.jsp.

It looks to me like one cannot inject arbitrary shell script or even arbitrary arguments: ProcessBuilder makes that fairly safe and only allows the user to specify the argument that comes after -f. However that does potentially allow them to have the daemon's user access files they shouldn't be able to touch, albeit only for reading.

To more explicitly eliminate any threats here, we should add some validation that the file is at least within HBase's root directory and use the Java API directly instead of invoking a separate executable.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HBASE-15946-v1.patch
02/Jun/16 20:29
14 kB
Sean Mackrory
HBASE-15946-v2.patch
02/Jun/16 23:10
14 kB
Sean Mackrory
HBASE-15946-v3.patch
07/Jun/16 16:10
14 kB
Sean Mackrory
HBASE-15946-branch-1.3-mantonov.diff
10/Jun/16 02:08
14 kB
Mikhail Antonov

Issue Links

is related to

HBASE-22561 modify HFilePrettyPrinter to accept non-hbase.rootdir directories

Resolved

Activity

People

Assignee:: Sean Mackrory

Reporter:: Sean Mackrory

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 02/Jun/16 19:06

Updated:: 14/Jun/19 12:03

Resolved:: 10/Jun/16 17:47