HDDS-2158. Fixing Json Injection Issue in JsonUtils. (#1486)

This commit is contained in:
Hanisha Koneru 2019-10-04 12:52:29 -07:00 committed by GitHub
parent f3eaa84f9d
commit 8de4374427
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
18 changed files with 34 additions and 47 deletions

View File

@ -54,7 +54,7 @@ public class ContainerInfo implements Comparator<ContainerInfo>,
mapper.setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY);
mapper
.setVisibility(PropertyAccessor.GETTER, JsonAutoDetect.Visibility.NONE);
WRITER = mapper.writer();
WRITER = mapper.writerWithDefaultPrettyPrinter();
}
private HddsProtos.LifeCycleState state;

View File

@ -43,10 +43,9 @@ public final class JsonUtils {
// Never constructed
}
public static String toJsonStringWithDefaultPrettyPrinter(String jsonString)
public static String toJsonStringWithDefaultPrettyPrinter(Object obj)
throws IOException {
Object json = READER.readValue(jsonString);
return WRITTER.writeValueAsString(json);
return WRITTER.writeValueAsString(obj);
}
public static String toJsonString(Object obj) throws IOException {

View File

@ -24,7 +24,6 @@ import java.util.concurrent.Callable;
import org.apache.hadoop.hdds.cli.HddsVersionProvider;
import org.apache.hadoop.hdds.scm.client.ScmClient;
import org.apache.hadoop.hdds.scm.container.ContainerInfo;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@ -61,8 +60,7 @@ public class ListSubcommand implements Callable<Void> {
private void outputContainerInfo(ContainerInfo containerInfo)
throws IOException {
// Print container report info.
LOG.info("{}", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
containerInfo.toJsonString()));
LOG.info("{}", containerInfo.toJsonString());
}
@Override

View File

@ -29,8 +29,7 @@ public final class ObjectPrinter {
}
public static String getObjectAsJson(Object o) throws IOException {
return JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString(o));
return JsonUtils.toJsonStringWithDefaultPrettyPrinter(o);
}
public static void printObjectAsJson(Object o) throws IOException {

View File

@ -24,7 +24,6 @@ import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
@ -92,8 +91,8 @@ public class AddAclBucketHandler extends Handler {
boolean result = client.getObjectStore().addAcl(obj,
OzoneAcl.parseAcl(acl));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl set successfully: " + result)));
System.out.printf("%s%n", "Acl added successfully: " + result);
client.close();
return null;
}

View File

@ -75,8 +75,8 @@ public class GetAclBucketHandler extends Handler {
List<OzoneAcl> result = client.getObjectStore().getAcl(obj);
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString(result)));
System.out.printf("%s%n",
JsonUtils.toJsonStringWithDefaultPrettyPrinter(result));
client.close();
return null;
}

View File

@ -24,7 +24,6 @@ import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
@ -68,7 +67,7 @@ public class RemoveAclBucketHandler extends Handler {
*/
@Override
public Void call() throws Exception {
Objects.requireNonNull(acl, "New acl to be added not specified.");
Objects.requireNonNull(acl, "ACL to be removed not specified.");
OzoneAddress address = new OzoneAddress(uri);
address.ensureBucketAddress();
OzoneClient client = address.createClient(createOzoneConfiguration());
@ -92,8 +91,8 @@ public class RemoveAclBucketHandler extends Handler {
boolean result = client.getObjectStore().removeAcl(obj,
OzoneAcl.parseAcl(acl));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl removed successfully: " + result)));
System.out.printf("%s%n", "Acl removed successfully: " + result);
client.close();
return null;
}

View File

@ -24,7 +24,6 @@ import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
@ -92,8 +91,8 @@ public class SetAclBucketHandler extends Handler {
boolean result = client.getObjectStore().setAcl(obj,
OzoneAcl.parseAcls(acls));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl set successfully: " + result)));
System.out.printf("%s%n", "Acl set successfully: " + result);
client.close();
return null;
}

View File

@ -24,7 +24,6 @@ import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
@ -95,8 +94,8 @@ public class AddAclKeyHandler extends Handler {
boolean result = client.getObjectStore().addAcl(obj,
OzoneAcl.parseAcl(acl));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl set successfully: " + result)));
System.out.printf("%s%n", "Acl added successfully: " + result);
client.close();
return null;
}

View File

@ -78,8 +78,8 @@ public class GetAclKeyHandler extends Handler {
List<OzoneAcl> result = client.getObjectStore().getAcl(obj);
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString(result)));
System.out.printf("%s%n",
JsonUtils.toJsonStringWithDefaultPrettyPrinter(result));
client.close();
return null;
}

View File

@ -24,7 +24,6 @@ import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
@ -68,7 +67,7 @@ public class RemoveAclKeyHandler extends Handler {
*/
@Override
public Void call() throws Exception {
Objects.requireNonNull(acl, "New acl to be added not specified.");
Objects.requireNonNull(acl, "ACL to be removed not specified.");
OzoneAddress address = new OzoneAddress(uri);
address.ensureKeyAddress();
OzoneClient client = address.createClient(createOzoneConfiguration());
@ -95,8 +94,8 @@ public class RemoveAclKeyHandler extends Handler {
boolean result = client.getObjectStore().removeAcl(obj,
OzoneAcl.parseAcl(acl));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl set successfully: " + result)));
System.out.printf("%s%n", "Acl removed successfully: " + result);
client.close();
return null;
}

View File

@ -24,7 +24,6 @@ import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
@ -94,8 +93,8 @@ public class SetAclKeyHandler extends Handler {
boolean result = client.getObjectStore().setAcl(obj,
OzoneAcl.parseAcls(acls));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl set successfully: " + result)));
System.out.printf("%s%n", "Acl set successfully: " + result);
client.close();
return null;
}

View File

@ -71,7 +71,7 @@ public class GetTokenHandler extends Handler {
}
System.out.printf("%s", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString(token.encodeToUrlString())));
token.encodeToUrlString()));
return null;
}
}

View File

@ -65,7 +65,7 @@ public class PrintTokenHandler extends Handler {
token.decodeFromUrlString(encodedToken);
System.out.printf("%s", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString(token.toString())));
token.toString()));
return null;
}
}

View File

@ -24,7 +24,6 @@ import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
@ -89,8 +88,8 @@ public class AddAclVolumeHandler extends Handler {
boolean result = client.getObjectStore().addAcl(obj,
OzoneAcl.parseAcl(acl));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl set successfully: " + result)));
System.out.printf("%s%n", "Acl added successfully: " + result);
client.close();
return null;
}

View File

@ -69,8 +69,8 @@ public class GetAclVolumeHandler extends Handler {
OzoneObj.StoreType.valueOf(storeType))
.build();
List<OzoneAcl> result = client.getObjectStore().getAcl(obj);
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString(result)));
System.out.printf("%s%n",
JsonUtils.toJsonStringWithDefaultPrettyPrinter(result));
client.close();
return null;
}

View File

@ -24,7 +24,6 @@ import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
@ -68,7 +67,7 @@ public class RemoveAclVolumeHandler extends Handler {
*/
@Override
public Void call() throws Exception {
Objects.requireNonNull(acl, "New acl to be added not specified.");
Objects.requireNonNull(acl, "ACL to be removed not specified.");
OzoneAddress address = new OzoneAddress(uri);
address.ensureVolumeAddress();
OzoneClient client = address.createClient(createOzoneConfiguration());
@ -89,8 +88,8 @@ public class RemoveAclVolumeHandler extends Handler {
boolean result = client.getObjectStore().removeAcl(obj,
OzoneAcl.parseAcl(acl));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl removed successfully: " + result)));
System.out.printf("%s%n", "Acl removed successfully: " + result);
client.close();
return null;
}

View File

@ -24,7 +24,6 @@ import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
@ -92,8 +91,8 @@ public class SetAclVolumeHandler extends Handler {
boolean result = client.getObjectStore().setAcl(obj,
OzoneAcl.parseAcls(acls));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl set successfully: " + result)));
System.out.printf("%s%n", "Acl set successfully: " + result);
client.close();
return null;
}