Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-7715

Connect should have a parameter to disable WADL output for OPTIONS method

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Critical
    • Resolution: Won't Fix
    • Affects Version/s: 2.1.0
    • Fix Version/s: None
    • Component/s: config, security
    • Labels:
      None

      Description

      Currently, Connect REST API exposes WADL output on OPTIONS method:

      curl -i -X OPTIONS http://localhost:8083/connectors
      HTTP/1.1 200 OK
      Date: Fri, 07 Dec 2018 22:51:53 GMT
      Content-Type: application/vnd.sun.wadl+xml
      Allow: HEAD,POST,GET,OPTIONS
      Last-Modified: Fri, 07 Dec 2018 14:51:53 PST
      Content-Length: 1331
      Server: Jetty(9.4.12.v20180830)
      
      <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
      <application xmlns="http://wadl.dev.java.net/2009/02">
      <doc xmlns:jersey="http://jersey.java.net/" jersey:generatedBy="Jersey: 2.27 2018-04-10 07:34:57"/>
      <grammars>
      <include href="http://localhost:8083/application.wadl/xsd0.xsd">
      <doc title="Generated" xml:lang="en"/>
      </include>
      </grammars>
      <resources base="http://localhost:8083/">
      <resource path="connectors">
      <method id="createConnector" name="POST">
      <request>
      <param xmlns:xs="http://www.w3.org/2001/XMLSchema" name="forward" style="query" type="xs:boolean"/>
      <representation mediaType="application/json"/>
      </request>
      <response>
      <representation mediaType="application/json"/>
      </response>
      </method>
      <method id="listConnectors" name="GET">
      <request>
      <param xmlns:xs="http://www.w3.org/2001/XMLSchema" name="forward" style="query" type="xs:boolean"/>
      </request>
      <response>
      <representation mediaType="application/json"/>
      </response>
      </method>
      </resource>
      </resources>
      </application>
      

      This can be a potential vulnerability, so it makes sense to have a configuration parameter, which disables WADL output.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                odiachenko Oleksandr Diachenko
                Reporter:
                odiachenko Oleksandr Diachenko
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: