From d82ae421262b5adc242fd7e04d1c774cdb43e639 Mon Sep 17 00:00:00 2001 From: stack Date: Sat, 6 Feb 2016 05:17:29 -0800 Subject: [PATCH] Revert "HBASE-15122 Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings (Samir Ahmic)" Revert mistaken commit. This reverts commit efc7a0d34749091d8efa623e7424956b72d3bb59. --- .../main/resources/supplemental-models.xml | 36 -- hbase-server/pom.xml | 11 - .../hadoop/hbase/http/jmx/JMXJsonServlet.java | 8 +- .../src/main/resources/ESAPI.properties | 431 ------------------ .../hbase/http/jmx/TestJMXJsonServlet.java | 6 - .../src/test/resources/ESAPI.properties | 431 ------------------ pom.xml | 1 - 7 files changed, 1 insertion(+), 923 deletions(-) delete mode 100644 hbase-server/src/main/resources/ESAPI.properties delete mode 100644 hbase-server/src/test/resources/ESAPI.properties diff --git a/hbase-resource-bundle/src/main/resources/supplemental-models.xml b/hbase-resource-bundle/src/main/resources/supplemental-models.xml index 764667cb60f..2f94226400e 100644 --- a/hbase-resource-bundle/src/main/resources/supplemental-models.xml +++ b/hbase-resource-bundle/src/main/resources/supplemental-models.xml @@ -61,24 +61,6 @@ under the License. - - - commons-beanutils - commons-beanutils-core - - - The Apache Software Foundation - http://www.apache.org/ - - - - Apache Software License, Version 2.0 - http://www.apache.org/licenses/LICENSE-2.0.txt - repo - - - - @@ -1213,22 +1195,4 @@ Copyright (c) 2007-2011 The JRuby project - - - xalan - xalan - - - The Apache Software Foundation - http://www.apache.org/ - - - - The Apache Software License, Version 2.0 - http://www.apache.org/licenses/LICENSE-2.0.txt - repo - - - - diff --git a/hbase-server/pom.xml b/hbase-server/pom.xml index d5f1e30c76b..3c2509407d1 100644 --- a/hbase-server/pom.xml +++ b/hbase-server/pom.xml @@ -561,17 +561,6 @@ bcprov-jdk16 test - - org.owasp.esapi - esapi - 2.1.0 - - - xercesImpl - xerces - - - diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/jmx/JMXJsonServlet.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/jmx/JMXJsonServlet.java index 14a19f6e2c1..45c2c151561 100644 --- a/hbase-server/src/main/java/org/apache/hadoop/hbase/http/jmx/JMXJsonServlet.java +++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/http/jmx/JMXJsonServlet.java @@ -35,7 +35,6 @@ import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.apache.hadoop.hbase.http.HttpServer; import org.apache.hadoop.hbase.util.JSONBean; -import org.owasp.esapi.ESAPI; /* * This servlet is based off of the JMXProxyServlet from Tomcat 7.0.14. It has @@ -168,7 +167,7 @@ public class JMXJsonServlet extends HttpServlet { jsonpcb = request.getParameter(CALLBACK_PARAM); if (jsonpcb != null) { response.setContentType("application/javascript; charset=utf8"); - writer.write(encodeJS(jsonpcb) + "("); + writer.write(jsonpcb + "("); } else { response.setContentType("application/json; charset=utf8"); } @@ -221,9 +220,4 @@ public class JMXJsonServlet extends HttpServlet { response.setStatus(HttpServletResponse.SC_BAD_REQUEST); } } - - private String encodeJS(String inputStr) { - return ESAPI.encoder().encodeForJavaScript(inputStr); - } - } diff --git a/hbase-server/src/main/resources/ESAPI.properties b/hbase-server/src/main/resources/ESAPI.properties deleted file mode 100644 index 907400189d8..00000000000 --- a/hbase-server/src/main/resources/ESAPI.properties +++ /dev/null @@ -1,431 +0,0 @@ -# -# OWASP Enterprise Security API (ESAPI) Properties file -- PRODUCTION Version -# -# This file is part of the Open Web Application Security Project (OWASP) -# Enterprise Security API (ESAPI) project. For details, please see -# http://www.owasp.org/index.php/ESAPI. -# -# Copyright (c) 2008,2009 - The OWASP Foundation -# -# DISCUSS: This may cause a major backwards compatibility issue, etc. but -# from a name space perspective, we probably should have prefaced -# all the property names with ESAPI or at least OWASP. Otherwise -# there could be problems is someone loads this properties file into -# the System properties. We could also put this file into the -# esapi.jar file (perhaps as a ResourceBundle) and then allow an external -# ESAPI properties be defined that would overwrite these defaults. -# That keeps the application's properties relatively simple as usually -# they will only want to override a few properties. If looks like we -# already support multiple override levels of this in the -# DefaultSecurityConfiguration class, but I'm suggesting placing the -# defaults in the esapi.jar itself. That way, if the jar is signed, -# we could detect if those properties had been tampered with. (The -# code to check the jar signatures is pretty simple... maybe 70-90 LOC, -# but off course there is an execution penalty (similar to the way -# that the separate sunjce.jar used to be when a class from it was -# first loaded). Thoughts? -############################################################################### -# -# WARNING: Operating system protection should be used to lock down the .esapi -# resources directory and all the files inside and all the directories all the -# way up to the root directory of the file system. Note that if you are using -# file-based implementations, that some files may need to be read-write as they -# get updated dynamically. -# -# Before using, be sure to update the MasterKey and MasterSalt as described below. -# N.B.: If you had stored data that you have previously encrypted with ESAPI 1.4, -# you *must* FIRST decrypt it using ESAPI 1.4 and then (if so desired) -# re-encrypt it with ESAPI 2.0. If you fail to do this, you will NOT be -# able to decrypt your data with ESAPI 2.0. -# -# YOU HAVE BEEN WARNED!!! More details are in the ESAPI 2.0 Release Notes. -# -#=========================================================================== -# ESAPI Configuration -# -# If true, then print all the ESAPI properties set here when they are loaded. -# If false, they are not printed. Useful to reduce output when running JUnit tests. -# If you need to troubleshoot a properties related problem, turning this on may help. -# This is 'false' in the src/test/resources/.esapi version. It is 'true' by -# default for reasons of backward compatibility with earlier ESAPI versions. -ESAPI.printProperties=true - -# ESAPI is designed to be easily extensible. You can use the reference implementation -# or implement your own providers to take advantage of your enterprise's security -# infrastructure. The functions in ESAPI are referenced using the ESAPI locator, like: -# -# String ciphertext = -# ESAPI.encryptor().encrypt("Secret message"); // Deprecated in 2.0 -# CipherText cipherText = -# ESAPI.encryptor().encrypt(new PlainText("Secret message")); // Preferred -# -# Below you can specify the classname for the provider that you wish to use in your -# application. The only requirement is that it implement the appropriate ESAPI interface. -# This allows you to switch security implementations in the future without rewriting the -# entire application. -# -# ExperimentalAccessController requires ESAPI-AccessControlPolicy.xml in .esapi directory -ESAPI.AccessControl=org.owasp.esapi.reference.DefaultAccessController -# FileBasedAuthenticator requires users.txt file in .esapi directory -ESAPI.Authenticator=org.owasp.esapi.reference.FileBasedAuthenticator -ESAPI.Encoder=org.owasp.esapi.reference.DefaultEncoder -ESAPI.Encryptor=org.owasp.esapi.reference.crypto.JavaEncryptor - -ESAPI.Executor=org.owasp.esapi.reference.DefaultExecutor -ESAPI.HTTPUtilities=org.owasp.esapi.reference.DefaultHTTPUtilities -ESAPI.IntrusionDetector=org.owasp.esapi.reference.DefaultIntrusionDetector -# Log4JFactory Requires log4j.xml or log4j.properties in classpath - http://www.laliluna.de/log4j-tutorial.html -ESAPI.Logger=org.owasp.esapi.reference.Log4JLogFactory -#ESAPI.Logger=org.owasp.esapi.reference.JavaLogFactory -ESAPI.Randomizer=org.owasp.esapi.reference.DefaultRandomizer -ESAPI.Validator=org.owasp.esapi.reference.DefaultValidator - -#=========================================================================== -# ESAPI Authenticator -# -Authenticator.AllowedLoginAttempts=3 -Authenticator.MaxOldPasswordHashes=13 -Authenticator.UsernameParameterName=username -Authenticator.PasswordParameterName=password -# RememberTokenDuration (in days) -Authenticator.RememberTokenDuration=14 -# Session Timeouts (in minutes) -Authenticator.IdleTimeoutDuration=20 -Authenticator.AbsoluteTimeoutDuration=120 - -#=========================================================================== -# ESAPI Encoder -# -# ESAPI canonicalizes input before validation to prevent bypassing filters with encoded attacks. -# Failure to canonicalize input is a very common mistake when implementing validation schemes. -# Canonicalization is automatic when using the ESAPI Validator, but you can also use the -# following code to canonicalize data. -# -# ESAPI.Encoder().canonicalize( "%22hello world"" ); -# -# Multiple encoding is when a single encoding format is applied multiple times, multiple -# different encoding formats are applied, or when multiple formats are nested. Allowing -# multiple encoding is strongly discouraged. -Encoder.AllowMultipleEncoding=false -# -# The default list of codecs to apply when canonicalizing untrusted data. The list should include the codecs -# for all downstream interpreters or decoders. For example, if the data is likely to end up in a URL, HTML, or -# inside JavaScript, then the list of codecs below is appropriate. The order of the list is not terribly important. -Encoder.DefaultCodecList=HTMLEntityCodec,PercentCodec,JavaScriptCodec - - -#=========================================================================== -# ESAPI Encryption -# -# The ESAPI Encryptor provides basic cryptographic functions with a simplified API. -# To get started, generate a new key using java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor -# There is not currently any support for key rotation, so be careful when changing your key and salt as it -# will invalidate all signed, encrypted, and hashed data. -# -# WARNING: Not all combinations of algorithms and key lengths are supported. -# If you choose to use a key length greater than 128, you MUST download the -# unlimited strength policy files and install in the lib directory of your JRE/JDK. -# See http://java.sun.com/javase/downloads/index.jsp for more information. -# -# Backward compatibility with ESAPI Java 1.4 is supported by the two deprecated API -# methods, Encryptor.encrypt(String) and Encryptor.decrypt(String). However, whenever -# possible, these methods should be avoided as they use ECB cipher mode, which in almost -# all circumstances a poor choice because of it's weakness. CBC cipher mode is the default -# for the new Encryptor encrypt / decrypt methods for ESAPI Java 2.0. In general, you -# should only use this compatibility setting if you have persistent data encrypted with -# version 1.4 and even then, you should ONLY set this compatibility mode UNTIL -# you have decrypted all of your old encrypted data and then re-encrypted it with -# ESAPI 2.0 using CBC mode. If you have some reason to mix the deprecated 1.4 mode -# with the new 2.0 methods, make sure that you use the same cipher algorithm for both -# (256-bit AES was the default for 1.4; 128-bit is the default for 2.0; see below for -# more details.) Otherwise, you will have to use the new 2.0 encrypt / decrypt methods -# where you can specify a SecretKey. (Note that if you are using the 256-bit AES, -# that requires downloading the special jurisdiction policy files mentioned above.) -# -# ***** IMPORTANT: Do NOT forget to replace these with your own values! ***** -# To calculate these values, you can run: -# java -classpath esapi.jar org.owasp.esapi.reference.crypto.JavaEncryptor -# -Encryptor.MasterKey= -Encryptor.MasterSalt= - -# Provides the default JCE provider that ESAPI will "prefer" for its symmetric -# encryption and hashing. (That is it will look to this provider first, but it -# will defer to other providers if the requested algorithm is not implemented -# by this provider.) If left unset, ESAPI will just use your Java VM's current -# preferred JCE provider, which is generally set in the file -# "$JAVA_HOME/jre/lib/security/java.security". -# -# The main intent of this is to allow ESAPI symmetric encryption to be -# used with a FIPS 140-2 compliant crypto-module. For details, see the section -# "Using ESAPI Symmetric Encryption with FIPS 140-2 Cryptographic Modules" in -# the ESAPI 2.0 Symmetric Encryption User Guide, at: -# http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/esapi4java-core-2.0-symmetric-crypto-user-guide.html -# However, this property also allows you to easily use an alternate JCE provider -# such as "Bouncy Castle" without having to make changes to "java.security". -# See Javadoc for SecurityProviderLoader for further details. If you wish to use -# a provider that is not known to SecurityProviderLoader, you may specify the -# fully-qualified class name of the JCE provider class that implements -# java.security.Provider. If the name contains a '.', this is interpreted as -# a fully-qualified class name that implements java.security.Provider. -# -# NOTE: Setting this property has the side-effect of changing it in your application -# as well, so if you are using JCE in your application directly rather than -# through ESAPI (you wouldn't do that, would you? ;-), it will change the -# preferred JCE provider there as well. -# -# Default: Keeps the JCE provider set to whatever JVM sets it to. -Encryptor.PreferredJCEProvider= - -# AES is the most widely used and strongest encryption algorithm. This -# should agree with your Encryptor.CipherTransformation property. -# By default, ESAPI Java 1.4 uses "PBEWithMD5AndDES" and which is -# very weak. It is essentially a password-based encryption key, hashed -# with MD5 around 1K times and then encrypted with the weak DES algorithm -# (56-bits) using ECB mode and an unspecified padding (it is -# JCE provider specific, but most likely "NoPadding"). However, 2.0 uses -# "AES/CBC/PKCSPadding". If you want to change these, change them here. -# Warning: This property does not control the default reference implementation for -# ESAPI 2.0 using JavaEncryptor. Also, this property will be dropped -# in the future. -# @deprecated -Encryptor.EncryptionAlgorithm=AES -# For ESAPI Java 2.0 - New encrypt / decrypt methods use this. -Encryptor.CipherTransformation=AES/CBC/PKCS5Padding - -# Applies to ESAPI 2.0 and later only! -# Comma-separated list of cipher modes that provide *BOTH* -# confidentiality *AND* message authenticity. (NIST refers to such cipher -# modes as "combined modes" so that's what we shall call them.) If any of these -# cipher modes are used then no MAC is calculated and stored -# in the CipherText upon encryption. Likewise, if one of these -# cipher modes is used with decryption, no attempt will be made -# to validate the MAC contained in the CipherText object regardless -# of whether it contains one or not. Since the expectation is that -# these cipher modes support support message authenticity already, -# injecting a MAC in the CipherText object would be at best redundant. -# -# Note that as of JDK 1.5, the SunJCE provider does not support *any* -# of these cipher modes. Of these listed, only GCM and CCM are currently -# NIST approved. YMMV for other JCE providers. E.g., Bouncy Castle supports -# GCM and CCM with "NoPadding" mode, but not with "PKCS5Padding" or other -# padding modes. -Encryptor.cipher_modes.combined_modes=GCM,CCM,IAPM,EAX,OCB,CWC - -# Applies to ESAPI 2.0 and later only! -# Additional cipher modes allowed for ESAPI 2.0 encryption. These -# cipher modes are in _addition_ to those specified by the property -# 'Encryptor.cipher_modes.combined_modes'. -# Note: We will add support for streaming modes like CFB & OFB once -# we add support for 'specified' to the property 'Encryptor.ChooseIVMethod' -# (probably in ESAPI 2.1). -# DISCUSS: Better name? -Encryptor.cipher_modes.additional_allowed=CBC - -# 128-bit is almost always sufficient and appears to be more resistant to -# related key attacks than is 256-bit AES. Use '_' to use default key size -# for cipher algorithms (where it makes sense because the algorithm supports -# a variable key size). Key length must agree to what's provided as the -# cipher transformation, otherwise this will be ignored after logging a -# warning. -# -# NOTE: This is what applies BOTH ESAPI 1.4 and 2.0. See warning above about mixing! -Encryptor.EncryptionKeyLength=128 - -# Because 2.0 uses CBC mode by default, it requires an initialization vector (IV). -# (All cipher modes except ECB require an IV.) There are two choices: we can either -# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While -# the IV does not need to be hidden from adversaries, it is important that the -# adversary not be allowed to choose it. Also, random IVs are generally much more -# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes -# such as CFB and OFB use a different IV for each encryption with a given key so -# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random -# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and -# uncomment the Encryptor.fixedIV. -# -# Valid values: random|fixed|specified 'specified' not yet implemented; planned for 2.1 -Encryptor.ChooseIVMethod=random -# If you choose to use a fixed IV, then you must place a fixed IV here that -# is known to all others who are sharing your secret key. The format should -# be a hex string that is the same length as the cipher block size for the -# cipher algorithm that you are using. The following is an example for AES -# from an AES test vector for AES-128/CBC as described in: -# NIST Special Publication 800-38A (2001 Edition) -# "Recommendation for Block Cipher Modes of Operation". -# (Note that the block size for AES is 16 bytes == 128 bits.) -# -Encryptor.fixedIV=0x000102030405060708090a0b0c0d0e0f - -# Whether or not CipherText should use a message authentication code (MAC) with it. -# This prevents an adversary from altering the IV as well as allowing a more -# fool-proof way of determining the decryption failed because of an incorrect -# key being supplied. This refers to the "separate" MAC calculated and stored -# in CipherText, not part of any MAC that is calculated as a result of a -# "combined mode" cipher mode. -# -# If you are using ESAPI with a FIPS 140-2 cryptographic module, you *must* also -# set this property to false. -Encryptor.CipherText.useMAC=true - -# Whether or not the PlainText object may be overwritten and then marked -# eligible for garbage collection. If not set, this is still treated as 'true'. -Encryptor.PlainText.overwrite=true - -# Do not use DES except in a legacy situations. 56-bit is way too small key size. -#Encryptor.EncryptionKeyLength=56 -#Encryptor.EncryptionAlgorithm=DES - -# TripleDES is considered strong enough for most purposes. -# Note: There is also a 112-bit version of DESede. Using the 168-bit version -# requires downloading the special jurisdiction policy from Sun. -#Encryptor.EncryptionKeyLength=168 -#Encryptor.EncryptionAlgorithm=DESede - -Encryptor.HashAlgorithm=SHA-512 -Encryptor.HashIterations=1024 -Encryptor.DigitalSignatureAlgorithm=SHA1withDSA -Encryptor.DigitalSignatureKeyLength=1024 -Encryptor.RandomAlgorithm=SHA1PRNG -Encryptor.CharacterEncoding=UTF-8 - - -#=========================================================================== -# ESAPI HttpUtilties -# -# The HttpUtilities provide basic protections to HTTP requests and responses. Primarily these methods -# protect against malicious data from attackers, such as unprintable characters, escaped characters, -# and other simple attacks. The HttpUtilities also provides utility methods for dealing with cookies, -# headers, and CSRF tokens. -# -# Default file upload location (remember to escape backslashes with \\) -HttpUtilities.UploadDir=C:\\ESAPI\\testUpload -HttpUtilities.UploadTempDir=C:\\temp -# Force flags on cookies, if you use HttpUtilities to set cookies -HttpUtilities.ForceHttpOnlySession=false -HttpUtilities.ForceSecureSession=false -HttpUtilities.ForceHttpOnlyCookies=true -HttpUtilities.ForceSecureCookies=true -# Maximum size of HTTP headers -HttpUtilities.MaxHeaderSize=4096 -# File upload configuration -HttpUtilities.ApprovedUploadExtensions=.zip,.pdf,.doc,.docx,.ppt,.pptx,.tar,.gz,.tgz,.rar,.war,.jar,.ear,.xls,.rtf,.properties,.java,.class,.txt,.xml,.jsp,.jsf,.exe,.dll -HttpUtilities.MaxUploadFileBytes=500000000 -# Using UTF-8 throughout your stack is highly recommended. That includes your database driver, -# container, and any other technologies you may be using. Failure to do this may expose you -# to Unicode transcoding injection attacks. Use of UTF-8 does not hinder internationalization. -HttpUtilities.ResponseContentType=text/html; charset=UTF-8 - - - -#=========================================================================== -# ESAPI Executor -# CHECKME - Not sure what this is used for, but surely it should be made OS independent. -Executor.WorkingDirectory=C:\\Windows\\Temp -Executor.ApprovedExecutables=C:\\Windows\\System32\\cmd.exe,C:\\Windows\\System32\\runas.exe - - -#=========================================================================== -# ESAPI Logging -# Set the application name if these logs are combined with other applications -Logger.ApplicationName=ExampleApplication -# If you use an HTML log viewer that does not properly HTML escape log data, you can set LogEncodingRequired to true -Logger.LogEncodingRequired=false -# Determines whether ESAPI should log the application name. This might be clutter in some single-server/single-app environments. -Logger.LogApplicationName=true -# Determines whether ESAPI should log the server IP and port. This might be clutter in some single-server environments. -Logger.LogServerIP=true -# LogFileName, the name of the logging file. Provide a full directory path (e.g., C:\\ESAPI\\ESAPI_logging_file) if you -# want to place it in a specific directory. -Logger.LogFileName=ESAPI_logging_file -# MaxLogFileSize, the max size (in bytes) of a single log file before it cuts over to a new one (default is 10,000,000) -Logger.MaxLogFileSize=10000000 - - -#=========================================================================== -# ESAPI Intrusion Detection -# -# Each event has a base to which .count, .interval, and .action are added -# The IntrusionException will fire if we receive "count" events within "interval" seconds -# The IntrusionDetector is configurable to take the following actions: log, logout, and disable -# (multiple actions separated by commas are allowed e.g. event.test.actions=log,disable -# -# Custom Events -# Names must start with "event." as the base -# Use IntrusionDetector.addEvent( "test" ) in your code to trigger "event.test" here -# You can also disable intrusion detection completely by changing -# the following parameter to true -# -IntrusionDetector.Disable=false -# -IntrusionDetector.event.test.count=2 -IntrusionDetector.event.test.interval=10 -IntrusionDetector.event.test.actions=disable,log - -# Exception Events -# All EnterpriseSecurityExceptions are registered automatically -# Call IntrusionDetector.getInstance().addException(e) for Exceptions that do not extend EnterpriseSecurityException -# Use the fully qualified classname of the exception as the base - -# any intrusion is an attack -IntrusionDetector.org.owasp.esapi.errors.IntrusionException.count=1 -IntrusionDetector.org.owasp.esapi.errors.IntrusionException.interval=1 -IntrusionDetector.org.owasp.esapi.errors.IntrusionException.actions=log,disable,logout - -# for test purposes -# CHECKME: Shouldn't there be something in the property name itself that designates -# that these are for testing??? -IntrusionDetector.org.owasp.esapi.errors.IntegrityException.count=10 -IntrusionDetector.org.owasp.esapi.errors.IntegrityException.interval=5 -IntrusionDetector.org.owasp.esapi.errors.IntegrityException.actions=log,disable,logout - -# rapid validation errors indicate scans or attacks in progress -# org.owasp.esapi.errors.ValidationException.count=10 -# org.owasp.esapi.errors.ValidationException.interval=10 -# org.owasp.esapi.errors.ValidationException.actions=log,logout - -# sessions jumping between hosts indicates session hijacking -IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.count=2 -IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.interval=10 -IntrusionDetector.org.owasp.esapi.errors.AuthenticationHostException.actions=log,logout - - -#=========================================================================== -# ESAPI Validation -# -# The ESAPI Validator works on regular expressions with defined names. You can define names -# either here, or you may define application specific patterns in a separate file defined below. -# This allows enterprises to specify both organizational standards as well as application specific -# validation rules. -# -Validator.ConfigurationFile=validation.properties - -# Validators used by ESAPI -Validator.AccountName=^[a-zA-Z0-9]{3,20}$ -Validator.SystemCommand=^[a-zA-Z\\-\\/]{1,64}$ -Validator.RoleName=^[a-z]{1,20}$ - -#the word TEST below should be changed to your application -#name - only relative URL's are supported -Validator.Redirect=^\\/test.*$ - -# Global HTTP Validation Rules -# Values with Base64 encoded data (e.g. encrypted state) will need at least [a-zA-Z0-9\/+=] -Validator.HTTPScheme=^(http|https)$ -Validator.HTTPServerName=^[a-zA-Z0-9_.\\-]*$ -Validator.HTTPParameterName=^[a-zA-Z0-9_]{1,32}$ -Validator.HTTPParameterValue=^[a-zA-Z0-9.\\-\\/+=_ ]*$ -Validator.HTTPCookieName=^[a-zA-Z0-9\\-_]{1,32}$ -Validator.HTTPCookieValue=^[a-zA-Z0-9\\-\\/+=_ ]*$ -Validator.HTTPHeaderName=^[a-zA-Z0-9\\-_]{1,32}$ -Validator.HTTPHeaderValue=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ -Validator.HTTPContextPath=^[a-zA-Z0-9.\\-\\/_]*$ -Validator.HTTPServletPath=^[a-zA-Z0-9.\\-\\/_]*$ -Validator.HTTPPath=^[a-zA-Z0-9.\\-_]*$ -Validator.HTTPQueryString=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ %]*$ -Validator.HTTPURI=^[a-zA-Z0-9()\\-=\\*\\.\\?;,+\\/:&_ ]*$ -Validator.HTTPURL=^.*$ -Validator.HTTPJSESSIONID=^[A-Z0-9]{10,30}$ - -# Validation of file related input -Validator.FileName=^[a-zA-Z0-9!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ -Validator.DirectoryName=^[a-zA-Z0-9:/\\\\!@#$%^&{}\\[\\]()_+\\-=,.~'` ]{1,255}$ diff --git a/hbase-server/src/test/java/org/apache/hadoop/hbase/http/jmx/TestJMXJsonServlet.java b/hbase-server/src/test/java/org/apache/hadoop/hbase/http/jmx/TestJMXJsonServlet.java index baeaf89a41c..031ddce8bf0 100644 --- a/hbase-server/src/test/java/org/apache/hadoop/hbase/http/jmx/TestJMXJsonServlet.java +++ b/hbase-server/src/test/java/org/apache/hadoop/hbase/http/jmx/TestJMXJsonServlet.java @@ -105,11 +105,5 @@ public class TestJMXJsonServlet extends HttpServerFunctionalTest { assertReFind("\"committed\"\\s*:", result); assertReFind("\\}\\);$", result); - // test to get XSS JSONP result - result = readOutput(new URL(baseUrl, "/jmx?qry=java.lang:type=Memory&callback=")); - LOG.info("/jmx?qry=java.lang:type=Memory&callback= RESULT: "+result); - assertTrue(!result.contains("