From b2ef26ea2e60473663eff865b3758a6232a6dccc Mon Sep 17 00:00:00 2001 From: "Apekshit(Appy) Sharma" Date: Wed, 22 Jul 2015 16:33:18 -0700 Subject: [PATCH] HBASE-14148 Add 'X-Frame-Options' to http response headers to protect against clickjacking. (Apekshit) --- LICENSE.txt | 41 +++++++++++++ .../org/apache/hadoop/hbase/http/HttpServer.java | 12 ++++ .../hadoop/hbase/http/XFrameOptionsFilter.java | 45 +++++++++++++++ .../hadoop/hbase/http/TestXFrameOptionsFilter.java | 67 ++++++++++++++++++++++ 4 files changed, 165 insertions(+) create mode 100644 hbase-server/src/main/java/org/apache/hadoop/hbase/http/XFrameOptionsFilter.java create mode 100644 hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestXFrameOptionsFilter.java diff --git a/LICENSE.txt b/LICENSE.txt index d645695..800e4ad 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -200,3 +200,44 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. + +APACHE HBASE SUBCOMPONENTS: + +The Apache HBase project contains subcomponents with separate copyright +notices and license terms. Your use of the source code for the these +subcomponents is subject to the terms and conditions of the following +licenses. + +For org.apache.hadoop.hbase.http.XFrameOptionsFilter + +/** + * Software published by the Open Web Application Security Project (http://www.owasp.org) + * This software is licensed under the new BSD license. + * Copyright 2009, Jeff Williams Aspect Security + */ +New-BSD license + +Copyright (c) 2009, Jeff Williams +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + * Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + * Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + * Neither the name of the nor the + names of its contributors may be used to endorse or promote products + derived from this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY +DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND +ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java index 29a2c51..6876de4 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java @@ -114,6 +114,7 @@ public class HttpServer implements FilterContainer { public static final String BIND_ADDRESS = "bind.address"; public static final String SPNEGO_FILTER = "SpnegoFilter"; public static final String NO_CACHE_FILTER = "NoCacheFilter"; + public static final String XFRAMEOPTIONS_FILTER = "XFrameOptionsFilter"; public static final String APP_DIR = "webapps"; private final AccessControlList adminsAcl; @@ -569,6 +570,7 @@ public class HttpServer implements FilterContainer { ctx.getServletContext().setAttribute(CONF_CONTEXT_ATTRIBUTE, conf); ctx.getServletContext().setAttribute(ADMINS_ACL, adminsAcl); addNoCacheFilter(ctx); + addXFrameOptionsFilter(ctx, conf); return ctx; } @@ -577,6 +579,16 @@ public class HttpServer implements FilterContainer { Collections. emptyMap(), new String[] { "/*" }); } + private static void addXFrameOptionsFilter(WebAppContext ctxt, Configuration conf) { + Map options = new HashMap<>(); + String mode = conf.get(XFrameOptionsFilter.XFRAMEOPTIONS_MODE); + if (mode != null) { + options.put(XFrameOptionsFilter.XFRAMEOPTIONS_MODE, mode); + } + defineFilter(ctxt, XFRAMEOPTIONS_FILTER, XFrameOptionsFilter.class.getName(), options, + new String[] { "/*" }); + } + /** * Create a required listener for the Jetty instance listening on the port * provided. This wrapper and all subclasses must create at least one diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/XFrameOptionsFilter.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/XFrameOptionsFilter.java new file mode 100644 index 0000000..ba39e70 --- /dev/null +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/XFrameOptionsFilter.java @@ -0,0 +1,45 @@ +/** + * Software published by the Open Web Application Security Project (http://www.owasp.org) + * This software is licensed under the new BSD license. + * Copyright 2009, Jeff Williams Aspect Security + */ +package org.apache.hadoop.hbase.http; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + +/** + * Filter to prevent Clickjacking. + * To know about clickjacking: https://www.owasp.org/index.php/Clickjacking + */ +public class XFrameOptionsFilter implements Filter { + final static String XFRAMEOPTIONS_MODE = "hbase.http.filter.xframeoptions.mode"; + private final static String defaultMode = "DENY"; + + private String mode = null; + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + mode = filterConfig.getInitParameter(XFRAMEOPTIONS_MODE); + if (mode == null) { + mode = defaultMode; + } + } + + @Override + public void destroy() {} + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws + IOException, ServletException { + ((HttpServletResponse) response).addHeader("X-FRAME-OPTIONS", mode); + chain.doFilter(request, response); + } +} + diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestXFrameOptionsFilter.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestXFrameOptionsFilter.java new file mode 100644 index 0000000..f6362a2 --- /dev/null +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestXFrameOptionsFilter.java @@ -0,0 +1,67 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hbase.http; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hbase.testclassification.SmallTests; +import org.junit.Test; +import org.junit.experimental.categories.Category; +import org.mockito.ArgumentCaptor; +import org.mockito.Captor; +import org.mockito.Mockito; + +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.util.Map; + +import static org.junit.Assert.assertEquals; +import static org.mockito.Matchers.anyString; +import static org.mockito.Matchers.eq; + +@Category(SmallTests.class) +public class TestXFrameOptionsFilter { + @Captor ArgumentCaptor> mapArgCaptor; + + @Test + /** + * Tests {@link org.apache.hadoop.hbase.http.XFrameOptionsFilter#doFilter + * (ServletRequest, ServletResponse, FilterChain)} sets 'X-FRAME-OPTIONS' in header to right + * value from {@link FilterConfig}. + */ public void TestXFrameOptionsFilter() throws Exception { + FilterConfig filterConfig = Mockito.mock(FilterConfig.class); + Mockito.doReturn("FOO").when(filterConfig) + .getInitParameter(XFrameOptionsFilter.XFRAMEOPTIONS_MODE); + + XFrameOptionsFilter filter = new XFrameOptionsFilter(); + filter.init(filterConfig); + + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + HttpServletResponse response = Mockito.mock(HttpServletResponse.class); + FilterChain chain = Mockito.mock(FilterChain.class); + + filter.doFilter(request, response, chain); + + Mockito.verify(response).addHeader(eq("X-FRAME-OPTIONS"), eq("FOO")); + Mockito.verify(chain).doFilter(request, response); + + filter.destroy(); + } +} -- 2.3.2 (Apple Git-55)