[HBASE-15122] Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.2.0, 1.3.0, 1.1.4, 1.0.4, 2.0.0
Component/s: UI
Labels:
None

Description

In our JMXJsonServlet we are doing this:

jsonpcb = request.getParameter(CALLBACK_PARAM);
if (jsonpcb != null) {
response.setContentType("application/javascript; charset=utf8");
writer.write(jsonpcb + "(");

...

Findbugs complains rightly. There are other instances in our servlets and then there are the pages generated by jamon excluded from findbugs checking (and findbugs volunteers that it is dumb in this regard finding only the most egregious of violations).

We have no sanitizing tooling in hbase that I know of (correct me if I am wrong). I started to pull on this thread and it runs deep. Our Jamon templating (last updated in 2013 and before that, in 2011) engine doesn't seem to have sanitizing means either and there seems to be outstanding XSS complaint against jamon that goes unaddressed.

Could pull in something like https://www.owasp.org/index.php/OWASP_Java_Encoder_Project and run all emissions via it or get a templating engine that has sanitizing built in.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HBASE-15122_v1.patch
02/Feb/16 02:58
51 kB
Heng Chen
HBASE-15122_v2.patch
03/Feb/16 10:11
51 kB
Samir Ahmic
HBASE-15122_v3.patch
06/Feb/16 05:30
52 kB
Michael Stack
HBASE-15122.patch
17/Jan/16 06:42
50 kB
Heng Chen
HBASE-15122-v0-master
01/Feb/16 19:03
5 kB
Samir Ahmic

Issue Links

breaks

HBASE-16260 Audit dependencies for Category-X

Resolved

Is contained by

HBASE-16328 Reimplement web UI fixes without license problems

Open

Activity

People

Assignee:: Samir Ahmic

Reporter:: Michael Stack

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 15/Jan/16 15:04

Updated:: 02/Aug/16 14:48

Resolved:: 15/Feb/16 06:24