Uploaded image for project: 'HBase'
  1. HBase
  2. HBASE-15187

Integrate CSRF prevention filter to REST gateway

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • None
    • 1.4.0, 2.0.0
    • None
    • Reviewed
    • Hide
      Protection against CSRF attack can be turned on with config parameter, hbase.rest.csrf.enabled - default value is false.

      The custom header to be sent can be changed via config parameter, hbase.rest.csrf.custom.header whose default value is "X-XSRF-HEADER".

      Config parameter, hbase.rest.csrf.methods.to.ignore , controls which HTTP methods are not associated with customer header check.

      Config parameter, hbase.rest-csrf.browser-useragents-regex , is a comma-separated list of regular expressions used to match against an HTTP request's User-Agent header when protection against cross-site request forgery (CSRF) is enabled for REST server by setting hbase.rest.csrf.enabled to true.

      The implementation came from hadoop/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/http/RestCsrfPreventionFilter.java

      We should periodically update the RestCsrfPreventionFilter.java in hbase codebase to include fixes to the hadoop implementation.
      Show
      Protection against CSRF attack can be turned on with config parameter, hbase.rest.csrf.enabled - default value is false. The custom header to be sent can be changed via config parameter, hbase.rest.csrf.custom.header whose default value is "X-XSRF-HEADER". Config parameter, hbase.rest.csrf.methods.to.ignore , controls which HTTP methods are not associated with customer header check. Config parameter, hbase.rest-csrf.browser-useragents-regex , is a comma-separated list of regular expressions used to match against an HTTP request's User-Agent header when protection against cross-site request forgery (CSRF) is enabled for REST server by setting hbase.rest.csrf.enabled to true. The implementation came from hadoop/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/http/RestCsrfPreventionFilter.java We should periodically update the RestCsrfPreventionFilter.java in hbase codebase to include fixes to the hadoop implementation.

    Description

      HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard against cross-site request forgery attacks.

      This issue tracks the integration of that filter into HBase REST gateway.

      From REST section of refguide:

      To delete a table, use a DELETE request with the /schema endpoint:
      http://example.com:8000<table>/schema

      Suppose an attacker hosts a malicious web form on a domain under his control. The form uses the DELETE action targeting a REST URL. Through social engineering, the attacker tricks an authenticated user into accessing the form and submitting it.

      The browser sends the HTTP DELETE request to the REST gateway.
      At REST gateway, the call is executed and user table is dropped

      Attachments

        1. HBASE-15187.v1.patch
          20 kB
          Ted Yu
        2. HBASE-15187.v10.patch
          35 kB
          Ted Yu
        3. HBASE-15187.v10.patch
          34 kB
          Ted Yu
        4. HBASE-15187.v11.patch
          36 kB
          Ted Yu
        5. HBASE-15187.v12.patch
          36 kB
          Ted Yu
        6. HBASE-15187.v13.patch
          37 kB
          Ted Yu
        7. HBASE-15187.v14.patch
          37 kB
          Ted Yu
        8. HBASE-15187.v2.patch
          20 kB
          Ted Yu
        9. HBASE-15187.v3.patch
          22 kB
          Ted Yu
        10. HBASE-15187.v4.patch
          22 kB
          Ted Yu
        11. HBASE-15187.v5.patch
          22 kB
          Ted Yu
        12. HBASE-15187.v6.patch
          27 kB
          Ted Yu
        13. HBASE-15187.v7.patch
          22 kB
          Ted Yu
        14. HBASE-15187.v8.patch
          25 kB
          Ted Yu
        15. HBASE-15187.v9.patch
          34 kB
          Ted Yu
        16. HBASE-15187-branch-1.v13.patch
          37 kB
          Ted Yu

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. HBASE-19741 Port CSRF prevention filter (HBASE-15187) to the HBase Thrift server

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Open
          relates to

          Bug - A problem which impairs or prevents the functions of the product. YARN-4737 Add CSRF filter support in YARN

          • Major - Major loss of function.
          • Resolved

          New Feature - A new feature of the product, which has yet to be developed. HDFS-9711 Integrate CSRF prevention filter in WebHDFS.

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              yuzhihong@gmail.com Ted Yu
              yuzhihong@gmail.com Ted Yu
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: