HDFS-15320. StringIndexOutOfBoundsException in HostRestrictingAuthorizationFilter (#1992)

Signed-off-by: Mingliang Liu <liuml07@apache.org>
2020-05-03 05:02:27 +09:00 · 2020-05-03 05:02:27 +09:00 · e32e1384d9
parent 0f27c04c23
commit e32e1384d9
2 changed files with 33 additions and 3 deletions
--- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HostRestrictingAuthorizationFilter.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HostRestrictingAuthorizationFilter.java
@ -229,9 +229,14 @@ public class HostRestrictingAuthorizationFilter implements Filter {
      throws IOException, ServletException {
    final String address = interaction.getRemoteAddr();
    final String query = interaction.getQueryString();
-    final String path =
-        interaction.getRequestURI()
-            .substring(WebHdfsFileSystem.PATH_PREFIX.length());
+    final String uri = interaction.getRequestURI();
+    if (!uri.startsWith(WebHdfsFileSystem.PATH_PREFIX)) {
+      LOG.trace("Rejecting interaction; wrong URI: {}", uri);
+      interaction.sendError(HttpServletResponse.SC_NOT_FOUND,
+          "The request URI must start with " + WebHdfsFileSystem.PATH_PREFIX);
+      return;
+    }
+    final String path = uri.substring(WebHdfsFileSystem.PATH_PREFIX.length());
    String user = interaction.getRemoteUser();

    LOG.trace("Got request user: {}, remoteIp: {}, query: {}, path: {}",
--- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/common/TestHostRestrictingAuthorizationFilter.java
+++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/common/TestHostRestrictingAuthorizationFilter.java
@ -243,6 +243,31 @@ public class TestHostRestrictingAuthorizationFilter {
    filter.destroy();
  }

+  /**
+   * Test acceptable behavior to malformed requests
+   * Case: the request URI does not start with "/webhdfs/v1"
+   */
+  @Test
+  public void testInvalidURI() throws Exception {
+    HttpServletRequest request = Mockito.mock(HttpServletRequest.class);
+    Mockito.when(request.getMethod()).thenReturn("GET");
+    Mockito.when(request.getRequestURI()).thenReturn("/InvalidURI");
+    HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
+
+    Filter filter = new HostRestrictingAuthorizationFilter();
+    HashMap<String, String> configs = new HashMap<String, String>() {};
+    configs.put(AuthenticationFilter.AUTH_TYPE, "simple");
+    FilterConfig fc = new DummyFilterConfig(configs);
+
+    filter.init(fc);
+    filter.doFilter(request, response,
+        (servletRequest, servletResponse) -> {});
+    Mockito.verify(response, Mockito.times(1))
+        .sendError(Mockito.eq(HttpServletResponse.SC_NOT_FOUND),
+                   Mockito.anyString());
+    filter.destroy();
+  }
+
  private static class DummyFilterConfig implements FilterConfig {
    final Map<String, String> map;