[HDDS-2110] Arbitrary file can be downloaded with the help of ProfilerServlet - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 0.5.0
Component/s: Native
Labels:
- pull-request-available

Target Version/s:

0.4.1
Flags:

Patch, Important
External issue URL:
https://github.com/apache/hadoop/blob/217bdbd940a96986df3b96899b43caae2b5a9ed2/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/ProfileServlet.java

Description

The LOC 324 in the file ProfileServlet.java is prone to an arbitrary file download:-

protected void doGetDownload(String fileName, final HttpServletRequest req,      final HttpServletResponse resp) throws IOException {

File requestedFile = ProfileServlet.OUTPUT_DIR.resolve(fileName).toAbsolutePath().toFile();

As the String fileName is directly considered as the requested file.

Which is called at LOC 180 with HTTP request directly passed:-

if (req.getParameter("file") != null) {      doGetDownload(req.getParameter("file"), req, resp);      
return;    
}

Attachments

Issue Links

links to

GitHub Pull Request #1448

Activity

People

Assignee:: Marton Elek

Reporter:: Aayush

Votes:: 0 Vote for this issue

Watchers:: 7 Start watching this issue

Dates

Created:: 11/Sep/19 12:18

Updated:: 24/Feb/20 20:51

Resolved:: 19/Sep/19 16:44

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

1.5h