HBASE-20406 HBase Thrift HTTP - Shouldn't handle TRACE/OPTIONS methods

Signed-off-by: Josh Elser <elserj@apache.org>
Signed-off-by: Ted Yu <yuzhihong@gmail.com>
Signed-off-by: Sean Busbey <busbey@apache.org>
This commit is contained in:
Kevin Risden 2018-04-12 21:08:15 -05:00 committed by Sean Busbey
parent 1546613e76
commit ddf8b2a2c4
3 changed files with 30 additions and 6 deletions

View File

@ -605,8 +605,6 @@ public class TestHttpServer extends HttpServerFunctionalTest {
myServer.stop();
}
@Test
public void testNoCacheHeader() throws Exception {
URL url = new URL(baseUrl, "/echo?a=b&c=d");
@ -619,4 +617,15 @@ public class TestHttpServer extends HttpServerFunctionalTest {
assertEquals(conn.getHeaderField("Expires"), conn.getHeaderField("Date"));
assertEquals("DENY", conn.getHeaderField("X-Frame-Options"));
}
@Test
public void testHttpMethods() throws Exception {
// HTTP TRACE method should be disabled for security
// See https://www.owasp.org/index.php/Cross_Site_Tracing
URL url = new URL(baseUrl, "/echo?a=b");
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("TRACE");
conn.connect();
assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
}
}

View File

@ -79,6 +79,7 @@ import org.apache.hadoop.hbase.filter.Filter;
import org.apache.hadoop.hbase.filter.ParseFilter;
import org.apache.hadoop.hbase.filter.PrefixFilter;
import org.apache.hadoop.hbase.filter.WhileMatchFilter;
import org.apache.hadoop.hbase.http.HttpServerUtil;
import org.apache.hadoop.hbase.log.HBaseMarkers;
import org.apache.hadoop.hbase.security.SaslUtil;
import org.apache.hadoop.hbase.security.SaslUtil.QualityOfProtection;
@ -445,6 +446,7 @@ public class ThriftServerRunner implements Runnable {
// Context handler
ServletContextHandler ctxHandler = new ServletContextHandler(httpServer, "/", ServletContextHandler.SESSIONS);
ctxHandler.addServlet(new ServletHolder(thriftHttpServlet), "/*");
HttpServerUtil.constrainHttpMethods(ctxHandler);
// set up Jetty and run the embedded server
HttpConfiguration httpConfig = new HttpConfiguration();

View File

@ -21,6 +21,8 @@ import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.fail;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.ArrayList;
import java.util.List;
import org.apache.hadoop.conf.Configuration;
@ -38,6 +40,7 @@ import org.apache.thrift.protocol.TProtocol;
import org.apache.thrift.transport.THttpClient;
import org.apache.thrift.transport.TTransportException;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Rule;
@ -171,8 +174,10 @@ public class TestThriftHttpServer {
Thread.sleep(100);
}
String url = "http://"+ HConstants.LOCALHOST + ":" + port;
try {
talkToThriftServer(customHeaderSize);
checkHttpMethods(url);
talkToThriftServer(url, customHeaderSize);
} catch (Exception ex) {
clientSideException = ex;
} finally {
@ -189,11 +194,19 @@ public class TestThriftHttpServer {
}
}
private void checkHttpMethods(String url) throws Exception {
// HTTP TRACE method should be disabled for security
// See https://www.owasp.org/index.php/Cross_Site_Tracing
HttpURLConnection conn = (HttpURLConnection) new URL(url).openConnection();
conn.setRequestMethod("TRACE");
conn.connect();
Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
}
private static volatile boolean tableCreated = false;
private void talkToThriftServer(int customHeaderSize) throws Exception {
THttpClient httpClient = new THttpClient(
"http://"+ HConstants.LOCALHOST + ":" + port);
private void talkToThriftServer(String url, int customHeaderSize) throws Exception {
THttpClient httpClient = new THttpClient(url);
httpClient.open();
if (customHeaderSize > 0) {