Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-8182

Mesos endpoint handler allows for non-existent paths to resolve

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 1.3.1, 1.4.0
    • Fix Version/s: None
    • Component/s: HTTP API, libprocess
    • Labels:
      None

      Description

      I stumbled on something interesting and I want to make sure there is not a security implication. I can append anything to `/mesos/*/` endpoints and still have them resolve. The Mesos team suggested that this is something that should be addressed.

      To reproduce:
      1. Spin up a Mesos cluster, any environment is fine as this is a web UI issue.
      2. Append `/mesos/slaves/<any string you want including /, and .>` to your Mesos master's address in the browser and it still resolves `/mesos/slaves`. The same applies to anything after `/mesos/state` and I would assume all the other Mesos endpoints following this URL pattern.

      Example URLs that resolve when they probably should not:
      https://<master-ip>/mesos/state/1/2/3/4/5/6/7/8/9
      or https://<master-ip>/mesos/slaves/1/2/3/thisresolves/whenIt/should/not

      Benno Evers from the Mesos team let me know this behavior is due to this section of code https://github.com/apache/mesos/blob/master/3rdparty/libprocess/src/process.cpp#L3953

      Thanks and let me know if you need anything else from me.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              andrewshahan Andrew Shahan
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: