HBASE-20406 HBase Thrift HTTP - Shouldn't handle TRACE/OPTIONS methods
Signed-off-by: Josh Elser <elserj@apache.org> Signed-off-by: Ted Yu <yuzhihong@gmail.com> Signed-off-by: Sean Busbey <busbey@apache.org>
This commit is contained in:
parent
1546613e76
commit
ddf8b2a2c4
|
@ -605,8 +605,6 @@ public class TestHttpServer extends HttpServerFunctionalTest {
|
||||||
myServer.stop();
|
myServer.stop();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
public void testNoCacheHeader() throws Exception {
|
public void testNoCacheHeader() throws Exception {
|
||||||
URL url = new URL(baseUrl, "/echo?a=b&c=d");
|
URL url = new URL(baseUrl, "/echo?a=b&c=d");
|
||||||
|
@ -619,4 +617,15 @@ public class TestHttpServer extends HttpServerFunctionalTest {
|
||||||
assertEquals(conn.getHeaderField("Expires"), conn.getHeaderField("Date"));
|
assertEquals(conn.getHeaderField("Expires"), conn.getHeaderField("Date"));
|
||||||
assertEquals("DENY", conn.getHeaderField("X-Frame-Options"));
|
assertEquals("DENY", conn.getHeaderField("X-Frame-Options"));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testHttpMethods() throws Exception {
|
||||||
|
// HTTP TRACE method should be disabled for security
|
||||||
|
// See https://www.owasp.org/index.php/Cross_Site_Tracing
|
||||||
|
URL url = new URL(baseUrl, "/echo?a=b");
|
||||||
|
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
|
||||||
|
conn.setRequestMethod("TRACE");
|
||||||
|
conn.connect();
|
||||||
|
assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -79,6 +79,7 @@ import org.apache.hadoop.hbase.filter.Filter;
|
||||||
import org.apache.hadoop.hbase.filter.ParseFilter;
|
import org.apache.hadoop.hbase.filter.ParseFilter;
|
||||||
import org.apache.hadoop.hbase.filter.PrefixFilter;
|
import org.apache.hadoop.hbase.filter.PrefixFilter;
|
||||||
import org.apache.hadoop.hbase.filter.WhileMatchFilter;
|
import org.apache.hadoop.hbase.filter.WhileMatchFilter;
|
||||||
|
import org.apache.hadoop.hbase.http.HttpServerUtil;
|
||||||
import org.apache.hadoop.hbase.log.HBaseMarkers;
|
import org.apache.hadoop.hbase.log.HBaseMarkers;
|
||||||
import org.apache.hadoop.hbase.security.SaslUtil;
|
import org.apache.hadoop.hbase.security.SaslUtil;
|
||||||
import org.apache.hadoop.hbase.security.SaslUtil.QualityOfProtection;
|
import org.apache.hadoop.hbase.security.SaslUtil.QualityOfProtection;
|
||||||
|
@ -445,6 +446,7 @@ public class ThriftServerRunner implements Runnable {
|
||||||
// Context handler
|
// Context handler
|
||||||
ServletContextHandler ctxHandler = new ServletContextHandler(httpServer, "/", ServletContextHandler.SESSIONS);
|
ServletContextHandler ctxHandler = new ServletContextHandler(httpServer, "/", ServletContextHandler.SESSIONS);
|
||||||
ctxHandler.addServlet(new ServletHolder(thriftHttpServlet), "/*");
|
ctxHandler.addServlet(new ServletHolder(thriftHttpServlet), "/*");
|
||||||
|
HttpServerUtil.constrainHttpMethods(ctxHandler);
|
||||||
|
|
||||||
// set up Jetty and run the embedded server
|
// set up Jetty and run the embedded server
|
||||||
HttpConfiguration httpConfig = new HttpConfiguration();
|
HttpConfiguration httpConfig = new HttpConfiguration();
|
||||||
|
|
|
@ -21,6 +21,8 @@ import static org.junit.Assert.assertFalse;
|
||||||
import static org.junit.Assert.assertNull;
|
import static org.junit.Assert.assertNull;
|
||||||
import static org.junit.Assert.fail;
|
import static org.junit.Assert.fail;
|
||||||
|
|
||||||
|
import java.net.HttpURLConnection;
|
||||||
|
import java.net.URL;
|
||||||
import java.util.ArrayList;
|
import java.util.ArrayList;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
import org.apache.hadoop.conf.Configuration;
|
import org.apache.hadoop.conf.Configuration;
|
||||||
|
@ -38,6 +40,7 @@ import org.apache.thrift.protocol.TProtocol;
|
||||||
import org.apache.thrift.transport.THttpClient;
|
import org.apache.thrift.transport.THttpClient;
|
||||||
import org.apache.thrift.transport.TTransportException;
|
import org.apache.thrift.transport.TTransportException;
|
||||||
import org.junit.AfterClass;
|
import org.junit.AfterClass;
|
||||||
|
import org.junit.Assert;
|
||||||
import org.junit.BeforeClass;
|
import org.junit.BeforeClass;
|
||||||
import org.junit.ClassRule;
|
import org.junit.ClassRule;
|
||||||
import org.junit.Rule;
|
import org.junit.Rule;
|
||||||
|
@ -171,8 +174,10 @@ public class TestThriftHttpServer {
|
||||||
Thread.sleep(100);
|
Thread.sleep(100);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
String url = "http://"+ HConstants.LOCALHOST + ":" + port;
|
||||||
try {
|
try {
|
||||||
talkToThriftServer(customHeaderSize);
|
checkHttpMethods(url);
|
||||||
|
talkToThriftServer(url, customHeaderSize);
|
||||||
} catch (Exception ex) {
|
} catch (Exception ex) {
|
||||||
clientSideException = ex;
|
clientSideException = ex;
|
||||||
} finally {
|
} finally {
|
||||||
|
@ -189,11 +194,19 @@ public class TestThriftHttpServer {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private void checkHttpMethods(String url) throws Exception {
|
||||||
|
// HTTP TRACE method should be disabled for security
|
||||||
|
// See https://www.owasp.org/index.php/Cross_Site_Tracing
|
||||||
|
HttpURLConnection conn = (HttpURLConnection) new URL(url).openConnection();
|
||||||
|
conn.setRequestMethod("TRACE");
|
||||||
|
conn.connect();
|
||||||
|
Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
|
||||||
|
}
|
||||||
|
|
||||||
private static volatile boolean tableCreated = false;
|
private static volatile boolean tableCreated = false;
|
||||||
|
|
||||||
private void talkToThriftServer(int customHeaderSize) throws Exception {
|
private void talkToThriftServer(String url, int customHeaderSize) throws Exception {
|
||||||
THttpClient httpClient = new THttpClient(
|
THttpClient httpClient = new THttpClient(url);
|
||||||
"http://"+ HConstants.LOCALHOST + ":" + port);
|
|
||||||
httpClient.open();
|
httpClient.open();
|
||||||
|
|
||||||
if (customHeaderSize > 0) {
|
if (customHeaderSize > 0) {
|
||||||
|
|
Loading…
Reference in New Issue