YARN-6352. Header injections are possible in application proxy servlet (Naganarasimha G R via Varun Saxena)

(cherry picked from commit 3fe7d36e72) Conflicts: hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java
2017-03-30 03:49:32 +05:30 · 2017-03-30 03:49:32 +05:30 · a2020024e2
parent ba3a726988
commit a2020024e2
2 changed files with 50 additions and 2 deletions
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java
@ -49,6 +49,7 @@ import org.apache.hadoop.yarn.api.records.ApplicationReport;
 import org.apache.hadoop.yarn.conf.YarnConfiguration;
 import org.apache.hadoop.yarn.exceptions.ApplicationNotFoundException;
 import org.apache.hadoop.yarn.exceptions.YarnException;
 import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
 import org.apache.hadoop.yarn.server.webproxy.AppReportFetcher.AppReportSource;
 import org.apache.hadoop.yarn.server.webproxy.AppReportFetcher.FetchedAppReport;
 import org.apache.hadoop.yarn.util.Apps;
@ -327,8 +328,14 @@ public class WebAppProxyServlet extends HttpServlet {
      //parts[0] is empty because path info always starts with a /
      String appId = parts[1];
      String rest = parts.length > 2 ? parts[2] : "";
-      ApplicationId id = Apps.toAppID(appId);
+      ApplicationId id = null;
-      if(id == null) {
+      try {
        id = Apps.toAppID(appId);
      } catch (YarnRuntimeException e) {
        throw new YarnRuntimeException("Error parsing Application Id");
      }
      if (id == null) {
        LOG.warn("{} attempting to access {} that is invalid",
            remoteUser, appId);
        notFound(resp, appId + " appears to be formatted incorrectly.");
--- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/test/java/org/apache/hadoop/yarn/server/webproxy/TestWebAppProxyServlet.java
+++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/test/java/org/apache/hadoop/yarn/server/webproxy/TestWebAppProxyServlet.java
@ -358,6 +358,47 @@ public class TestWebAppProxyServlet {
    }
  }
  /**
   * Test header injections are not done.
   */
  @Test(timeout=5000)
  public void testWebAppProxyServerHeaderInjection() throws Exception {
    WebAppProxyServer mainServer = null;
    Configuration conf = new YarnConfiguration();
    conf.set(YarnConfiguration.PROXY_ADDRESS, "localhost:9099");
    try {
      mainServer = WebAppProxyServer.startServer(conf);
      int counter = 20;
      URL wrongUrl = new URL(
          "http://localhost:9099/proxy/%C4%8D%C4%8ASomeCustomInjectedHeader:%20"
          + "injected_headerVal_1484290871375_0113/");
      HttpURLConnection proxyConn = null;
      while (counter > 0) {
        counter--;
        try {
          proxyConn = (HttpURLConnection) wrongUrl.openConnection();
          proxyConn.connect();
          proxyConn.getResponseCode();
          // server started ok
          counter = 0;
        } catch (Exception e) {
          Thread.sleep(100);
        }
      }
      assertNotNull(proxyConn);
      // wrong application Id
      assertEquals(HttpURLConnection.HTTP_INTERNAL_ERROR,
          proxyConn.getResponseCode());
      assertTrue("Header injection happened",
          proxyConn.getHeaderField("SomeCustomInjectedHeader") == null);
    } finally {
      if (mainServer != null) {
        mainServer.stop();
      }
    }
  }
  private String readInputStream(InputStream input) throws Exception {
    ByteArrayOutputStream data = new ByteArrayOutputStream();
    byte[] buffer = new byte[512];