From e2f505e961b41608f7c938dfea4b816be5f27bf2 Mon Sep 17 00:00:00 2001 From: Samir Ahmic Date: Mon, 1 Feb 2016 19:46:53 +0100 Subject: [PATCH] HBASE-15122 Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings --- .../src/main/resources/supplemental-models.xml | 36 ++++++++++++++++++++++ hbase-server/pom.xml | 5 +++ .../hadoop/hbase/http/jmx/JMXJsonServlet.java | 8 ++++- .../hadoop/hbase/http/jmx/TestJMXJsonServlet.java | 6 ++++ 4 files changed, 54 insertions(+), 1 deletion(-) diff --git a/hbase-resource-bundle/src/main/resources/supplemental-models.xml b/hbase-resource-bundle/src/main/resources/supplemental-models.xml index 2f94226..863864e 100644 --- a/hbase-resource-bundle/src/main/resources/supplemental-models.xml +++ b/hbase-resource-bundle/src/main/resources/supplemental-models.xml @@ -61,6 +61,42 @@ under the License. + + + commons-beanutils + commons-beanutils-core + + + The Apache Software Foundation + http://www.apache.org/ + + + + Apache Software License, Version 2.0 + http://www.apache.org/licenses/LICENSE-2.0.txt + repo + + + + + + + xalan + xalan + + + The Apache Software Foundation + http://www.apache.org/ + + + + The Apache Software License, Version 2.0 + http://www.apache.org/licenses/LICENSE-2.0.txt + repo + + + + diff --git a/hbase-server/pom.xml b/hbase-server/pom.xml index 3c25094..ad1e0ca 100644 --- a/hbase-server/pom.xml +++ b/hbase-server/pom.xml @@ -561,6 +561,11 @@ bcprov-jdk16 test + + org.owasp.esapi + esapi + 2.1.0 + diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/jmx/JMXJsonServlet.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/jmx/JMXJsonServlet.java index 45c2c15..14a19f6 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/jmx/JMXJsonServlet.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/jmx/JMXJsonServlet.java @@ -35,6 +35,7 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.hbase.http.HttpServer; import org.apache.hadoop.hbase.util.JSONBean; +import org.owasp.esapi.ESAPI; /* * This servlet is based off of the JMXProxyServlet from Tomcat 7.0.14. It has @@ -167,7 +168,7 @@ public class JMXJsonServlet extends HttpServlet { jsonpcb = request.getParameter(CALLBACK_PARAM); if (jsonpcb != null) { response.setContentType("application/javascript; charset=utf8"); - writer.write(jsonpcb + "("); + writer.write(encodeJS(jsonpcb) + "("); } else { response.setContentType("application/json; charset=utf8"); } @@ -220,4 +221,9 @@ public class JMXJsonServlet extends HttpServlet { response.setStatus(HttpServletResponse.SC_BAD_REQUEST); } } + + private String encodeJS(String inputStr) { + return ESAPI.encoder().encodeForJavaScript(inputStr); + } + } diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/http/jmx/TestJMXJsonServlet.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/http/jmx/TestJMXJsonServlet.java index 031ddce..baeaf89 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/http/jmx/TestJMXJsonServlet.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/http/jmx/TestJMXJsonServlet.java @@ -105,5 +105,11 @@ public class TestJMXJsonServlet extends HttpServerFunctionalTest { assertReFind("\"committed\"\\s*:", result); assertReFind("\\}\\);$", result); + // test to get XSS JSONP result + result = readOutput(new URL(baseUrl, "/jmx?qry=java.lang:type=Memory&callback=")); + LOG.info("/jmx?qry=java.lang:type=Memory&callback= RESULT: "+result); + assertTrue(!result.contains("