From 326895c2c6875992aa1db1cd6cedf30c7230cc28 Mon Sep 17 00:00:00 2001 From: "Apekshit(Appy) Sharma" Date: Wed, 22 Jul 2015 16:33:18 -0700 Subject: [PATCH] HBASE-14148 Add 'X-Frame-Options' to http response headers to protect against clickjacking. (Apekshit) --- LICENSE.txt | 38 ++++++++++++ .../org/apache/hadoop/hbase/http/HttpServer.java | 12 ++++ .../hadoop/hbase/http/XFrameOptionsFilter.java | 68 ++++++++++++++++++++++ .../hadoop/hbase/http/TestXFrameOptionsFilter.java | 67 +++++++++++++++++++++ 4 files changed, 185 insertions(+) create mode 100644 hbase-server/src/main/java/org/apache/hadoop/hbase/http/XFrameOptionsFilter.java create mode 100644 hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestXFrameOptionsFilter.java diff --git a/LICENSE.txt b/LICENSE.txt index d645695..43950dc 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -200,3 +200,41 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. + +APACHE HBASE SUBCOMPONENTS: + +The Apache HBase project contains subcomponents with separate copyright +notices and license terms. Your use of the source code for the these +subcomponents is subject to the terms and conditions of the following +licenses. + +For org.apache.hadoop.hbase.http.XFrameOptionsFilter + +/** + * Copyright (c) 2009, Jeff Williams Aspect Security + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the name of the nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * Software published by the Open Web Application Security Project (http://www.owasp.org) + */ diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java index 29a2c51..6876de4 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/HttpServer.java @@ -114,6 +114,7 @@ public class HttpServer implements FilterContainer { public static final String BIND_ADDRESS = "bind.address"; public static final String SPNEGO_FILTER = "SpnegoFilter"; public static final String NO_CACHE_FILTER = "NoCacheFilter"; + public static final String XFRAMEOPTIONS_FILTER = "XFrameOptionsFilter"; public static final String APP_DIR = "webapps"; private final AccessControlList adminsAcl; @@ -569,6 +570,7 @@ public class HttpServer implements FilterContainer { ctx.getServletContext().setAttribute(CONF_CONTEXT_ATTRIBUTE, conf); ctx.getServletContext().setAttribute(ADMINS_ACL, adminsAcl); addNoCacheFilter(ctx); + addXFrameOptionsFilter(ctx, conf); return ctx; } @@ -577,6 +579,16 @@ public class HttpServer implements FilterContainer { Collections. emptyMap(), new String[] { "/*" }); } + private static void addXFrameOptionsFilter(WebAppContext ctxt, Configuration conf) { + Map options = new HashMap<>(); + String mode = conf.get(XFrameOptionsFilter.XFRAMEOPTIONS_MODE); + if (mode != null) { + options.put(XFrameOptionsFilter.XFRAMEOPTIONS_MODE, mode); + } + defineFilter(ctxt, XFRAMEOPTIONS_FILTER, XFrameOptionsFilter.class.getName(), options, + new String[] { "/*" }); + } + /** * Create a required listener for the Jetty instance listening on the port * provided. This wrapper and all subclasses must create at least one diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/XFrameOptionsFilter.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/XFrameOptionsFilter.java new file mode 100644 index 0000000..b515973 --- /dev/null +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/XFrameOptionsFilter.java @@ -0,0 +1,68 @@ +/** + * Copyright (c) 2009, Jeff Williams Aspect Security + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the name of the nor the + * names of its contributors may be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY + * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND + * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS + * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * Software published by the Open Web Application Security Project (http://www.owasp.org) + */ +package org.apache.hadoop.hbase.http; + +import javax.servlet.Filter; +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.ServletException; +import javax.servlet.ServletRequest; +import javax.servlet.ServletResponse; +import javax.servlet.http.HttpServletResponse; +import java.io.IOException; + +/** + * Filter to prevent Clickjacking. + * To know about clickjacking: https://www.owasp.org/index.php/Clickjacking + */ +public class XFrameOptionsFilter implements Filter { + final static String XFRAMEOPTIONS_MODE = "hbase.http.filter.xframeoptions.mode"; + private final static String defaultMode = "DENY"; + + private String mode = null; + + @Override + public void init(FilterConfig filterConfig) throws ServletException { + mode = filterConfig.getInitParameter(XFRAMEOPTIONS_MODE); + if (mode == null) { + mode = defaultMode; + } + } + + @Override + public void destroy() {} + + @Override + public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws + IOException, ServletException { + ((HttpServletResponse) response).addHeader("X-FRAME-OPTIONS", mode); + chain.doFilter(request, response); + } +} + diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestXFrameOptionsFilter.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestXFrameOptionsFilter.java new file mode 100644 index 0000000..f6362a2 --- /dev/null +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestXFrameOptionsFilter.java @@ -0,0 +1,67 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.hadoop.hbase.http; + +import org.apache.hadoop.conf.Configuration; +import org.apache.hadoop.hbase.testclassification.SmallTests; +import org.junit.Test; +import org.junit.experimental.categories.Category; +import org.mockito.ArgumentCaptor; +import org.mockito.Captor; +import org.mockito.Mockito; + +import javax.servlet.FilterChain; +import javax.servlet.FilterConfig; +import javax.servlet.http.HttpServletRequest; +import javax.servlet.http.HttpServletResponse; +import java.util.Map; + +import static org.junit.Assert.assertEquals; +import static org.mockito.Matchers.anyString; +import static org.mockito.Matchers.eq; + +@Category(SmallTests.class) +public class TestXFrameOptionsFilter { + @Captor ArgumentCaptor> mapArgCaptor; + + @Test + /** + * Tests {@link org.apache.hadoop.hbase.http.XFrameOptionsFilter#doFilter + * (ServletRequest, ServletResponse, FilterChain)} sets 'X-FRAME-OPTIONS' in header to right + * value from {@link FilterConfig}. + */ public void TestXFrameOptionsFilter() throws Exception { + FilterConfig filterConfig = Mockito.mock(FilterConfig.class); + Mockito.doReturn("FOO").when(filterConfig) + .getInitParameter(XFrameOptionsFilter.XFRAMEOPTIONS_MODE); + + XFrameOptionsFilter filter = new XFrameOptionsFilter(); + filter.init(filterConfig); + + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + HttpServletResponse response = Mockito.mock(HttpServletResponse.class); + FilterChain chain = Mockito.mock(FilterChain.class); + + filter.doFilter(request, response, chain); + + Mockito.verify(response).addHeader(eq("X-FRAME-OPTIONS"), eq("FOO")); + Mockito.verify(chain).doFilter(request, response); + + filter.destroy(); + } +} -- 2.3.2 (Apple Git-55)