Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-15122

Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.2.0, 1.3.0, 1.1.4, 1.0.4, 2.0.0
    • Component/s: UI
    • Labels:
      None

      Description

      In our JMXJsonServlet we are doing this:

      jsonpcb = request.getParameter(CALLBACK_PARAM);
      if (jsonpcb != null) {
      response.setContentType("application/javascript; charset=utf8");
      writer.write(jsonpcb + "(");

      ...

      Findbugs complains rightly. There are other instances in our servlets and then there are the pages generated by jamon excluded from findbugs checking (and findbugs volunteers that it is dumb in this regard finding only the most egregious of violations).

      We have no sanitizing tooling in hbase that I know of (correct me if I am wrong). I started to pull on this thread and it runs deep. Our Jamon templating (last updated in 2013 and before that, in 2011) engine doesn't seem to have sanitizing means either and there seems to be outstanding XSS complaint against jamon that goes unaddressed.

      Could pull in something like https://www.owasp.org/index.php/OWASP_Java_Encoder_Project and run all emissions via it or get a templating engine that has sanitizing built in.

        Attachments

        1. HBASE-15122.patch
          50 kB
          Heng Chen
        2. HBASE-15122-v0-master
          5 kB
          Samir Ahmic
        3. HBASE-15122_v1.patch
          51 kB
          Heng Chen
        4. HBASE-15122_v2.patch
          51 kB
          Samir Ahmic
        5. HBASE-15122_v3.patch
          52 kB
          Michael Stack

          Issue Links

            Activity

              People

              • Assignee:
                asamir Samir Ahmic
                Reporter:
                stack Michael Stack
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: