From 9524e767044289db26115f238b9260406d2f5475 Mon Sep 17 00:00:00 2001 From: "Apekshit(Appy) Sharma" Date: Wed, 22 Jul 2015 16:33:18 -0700 Subject: [PATCH] HBASE-14148 Add 'X-Frame-Options' to http response headers to protect against clickjacking. (Apekshit) --- LICENSE.txt | 15 +++++ .../org/apache/hadoop/hbase/http/HttpServer.java | 12 ++++ .../hadoop/hbase/http/XFrameOptionsFilter.java | 45 +++++++++++++++ .../hadoop/hbase/http/TestXFrameOptionsFilter.java | 64 ++++++++++++++++++++++ 4 files changed, 136 insertions(+) create mode 100644 hbase-server/src/main/java/org/apache/hadoop/hbase/http/XFrameOptionsFilter.java create mode 100644 hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestXFrameOptionsFilter.java diff --git a/LICENSE.txt b/LICENSE.txt index d645695..8f8b211 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -200,3 +200,18 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. + +APACHE HBASE SUBCOMPONENTS: + +The Apache HBase project contains subcomponents with separate copyright +notices and license terms. Your use of the source code for the these +subcomponents is subject to the terms and conditions of the following +licenses. + +For org.apache.hadoop.hbase.http.XFrameOptionsFilter + +/** + * Software published by the Open Web Application Security Project (http://www.owasp.org) + * This software is licensed under the new BSD license. + * Copyright 2009, Jeff Williams Aspect Security + */ diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java index 29a2c51..6876de4 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java @@ -114,6 +114,7 @@ public class HttpServer implements FilterContainer { public static final String BIND_ADDRESS = "bind.address"; public static final String SPNEGO_FILTER = "SpnegoFilter"; public static final String NO_CACHE_FILTER = "NoCacheFilter"; + public static final String XFRAMEOPTIONS_FILTER = "XFrameOptionsFilter"; public static final String APP_DIR = "webapps"; private final AccessControlList adminsAcl; @@ -569,6 +570,7 @@ public class HttpServer implements FilterContainer { ctx.getServletContext().setAttribute(CONF_CONTEXT_ATTRIBUTE, conf); ctx.getServletContext().setAttribute(ADMINS_ACL, adminsAcl); addNoCacheFilter(ctx); + addXFrameOptionsFilter(ctx, conf); return ctx; } @@ -577,6 +579,16 @@ public class HttpServer implements FilterContainer { Collections. emptyMap(), new String[] { "/*" }); } + private static void addXFrameOptionsFilter(WebAppContext ctxt, Configuration conf) { + Map options = new HashMap<>(); + String mode = conf.get(XFrameOptionsFilter.XFRAMEOPTIONS_MODE); + if (mode != null) { + options.put(XFrameOptionsFilter.XFRAMEOPTIONS_MODE, mode); + } + defineFilter(ctxt, XFRAMEOPTIONS_FILTER, XFrameOptionsFilter.class.getName(), options, + new String[] { "/*" }); + } + /** * Create a required listener for the Jetty instance listening on the port * provided. This wrapper and all subclasses must create at least one diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/XFrameOptionsFilter.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/XFrameOptionsFilter.java new file mode 100644 index 0000000..ba39e70 --- /dev/null +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/XFrameOptionsFilter.java @@ -0,0 +1,45 @@ +/** + * Software published by the Open Web Application Security Project (http://www.owasp.org) + * This software is licensed under the new BSD license. + * Copyright 2009, Jeff Williams Aspect Security + */ +package org.apache.hadoop.hbase.http; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + +/** + * Filter to prevent Clickjacking. + * To know about clickjacking: https://www.owasp.org/index.php/Clickjacking + */ +public class XFrameOptionsFilter implements Filter { + final static String XFRAMEOPTIONS_MODE = "hbase.http.filter.xframeoptions.mode"; + private final static String defaultMode = "DENY"; + + private String mode = null; + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + mode = filterConfig.getInitParameter(XFRAMEOPTIONS_MODE); + if (mode == null) { + mode = defaultMode; + } + } + + @Override + public void destroy() {} + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws + IOException, ServletException { + ((HttpServletResponse) response).addHeader("X-FRAME-OPTIONS", mode); + chain.doFilter(request, response); + } +} + diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestXFrameOptionsFilter.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestXFrameOptionsFilter.java new file mode 100644 index 0000000..1975e1c --- /dev/null +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestXFrameOptionsFilter.java @@ -0,0 +1,64 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hbase.http; + +import org.apache.hadoop.conf.Configuration; +import org.junit.Test; +import org.mockito.ArgumentCaptor; +import org.mockito.Captor; +import org.mockito.Mockito; + +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.util.Map; + +import static org.junit.Assert.assertEquals; +import static org.mockito.Matchers.anyString; +import static org.mockito.Matchers.eq; + +public class TestXFrameOptionsFilter { + @Captor ArgumentCaptor> mapArgCaptor; + + @Test + /** + * Tests {@link org.apache.hadoop.hbase.http.XFrameOptionsFilter#doFilter + * (ServletRequest, ServletResponse, FilterChain)} sets 'X-FRAME-OPTIONS' in header to right + * value from {@link FilterConfig}. + */ public void TestXFrameOptionsFilter() throws Exception { + FilterConfig filterConfig = Mockito.mock(FilterConfig.class); + Mockito.doReturn("FOO").when(filterConfig) + .getInitParameter(XFrameOptionsFilter.XFRAMEOPTIONS_MODE); + + XFrameOptionsFilter filter = new XFrameOptionsFilter(); + filter.init(filterConfig); + + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + HttpServletResponse response = Mockito.mock(HttpServletResponse.class); + FilterChain chain = Mockito.mock(FilterChain.class); + + filter.doFilter(request, response, chain); + + Mockito.verify(response).addHeader(eq("X-FRAME-OPTIONS"), eq("FOO")); + Mockito.verify(chain).doFilter(request, response); + + filter.destroy(); + } +} -- 2.3.2 (Apple Git-55)