Apache
/
hbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HBase Thrift HTTP - Shouldn't handle TRACE/OPTIONS methods 

Signed-off-by: Josh Elser <elserj@apache.org>
Signed-off-by: Ted Yu <yuzhihong@gmail.com>
Signed-off-by: Sean Busbey <busbey@apache.org>

 Conflicts:
	hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestHttpServer.java
	hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
This commit is contained in:
Kevin Risden 2018-04-12 21:08:15 -05:00 committed by Sean Busbey
parent 59d9e0f407
commit fe84833ea2
3 changed files with 30 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestHttpServer.java
View File

@ -608,8 +608,6 @@ public class TestHttpServer extends HttpServerFunctionalTest {
myServer.stop(); myServer.stop();
} }
@Test @Test
public void testNoCacheHeader() throws Exception { public void testNoCacheHeader() throws Exception {
URL url = new URL(baseUrl, "/echo?a=b&c=d"); URL url = new URL(baseUrl, "/echo?a=b&c=d");
@ -634,4 +632,15 @@ public class TestHttpServer extends HttpServerFunctionalTest {
.build(); .build();
s.stop(); s.stop();
} }
@Test
public void testHttpMethods() throws Exception {
// HTTP TRACE method should be disabled for security
// See https://www.owasp.org/index.php/Cross_Site_Tracing
URL url = new URL(baseUrl, "/echo?a=b");
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("TRACE");
conn.connect();
assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
}
} }

2
hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
View File

@ -100,6 +100,7 @@ import org.apache.hadoop.hbase.thrift.generated.TScan;
import org.apache.hadoop.hbase.util.Bytes; import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.util.ConnectionCache; import org.apache.hadoop.hbase.util.ConnectionCache;
import org.apache.hadoop.hbase.util.DNS; import org.apache.hadoop.hbase.util.DNS;
import org.apache.hadoop.hbase.util.HttpServerUtil;
import org.apache.hadoop.hbase.util.JvmPauseMonitor; import org.apache.hadoop.hbase.util.JvmPauseMonitor;
import org.apache.hadoop.hbase.util.Strings; import org.apache.hadoop.hbase.util.Strings;
import org.apache.hadoop.security.SaslRpcServer.SaslGssCallbackHandler; import org.apache.hadoop.security.SaslRpcServer.SaslGssCallbackHandler;
@ -422,6 +423,7 @@ public class ThriftServerRunner implements Runnable {
String httpPath = "/*"; String httpPath = "/*";
httpServer.setHandler(context); httpServer.setHandler(context);
context.addServlet(new ServletHolder(thriftHttpServlet), httpPath); context.addServlet(new ServletHolder(thriftHttpServlet), httpPath);
HttpServerUtil.constrainHttpMethods(context);
// set up Jetty and run the embedded server // set up Jetty and run the embedded server
Connector connector = new SelectChannelConnector(); Connector connector = new SelectChannelConnector();

21
hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
View File

@ -22,6 +22,8 @@ import static org.junit.Assert.assertFalse;
import static org.junit.Assert.assertNull; import static org.junit.Assert.assertNull;
import static org.junit.Assert.fail; import static org.junit.Assert.fail;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.List; import java.util.List;
@ -40,6 +42,7 @@ import org.apache.thrift.protocol.TProtocol;
import org.apache.thrift.transport.THttpClient; import org.apache.thrift.transport.THttpClient;
import org.apache.thrift.transport.TTransportException; import org.apache.thrift.transport.TTransportException;
import org.junit.AfterClass; import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass; import org.junit.BeforeClass;
import org.junit.Test; import org.junit.Test;
import org.junit.experimental.categories.Category; import org.junit.experimental.categories.Category;
@ -166,8 +169,10 @@ public class TestThriftHttpServer {
Thread.sleep(100); Thread.sleep(100);
} }
String url = "http://"+ HConstants.LOCALHOST + ":" + port;
try { try {
talkToThriftServer(customHeaderSize); checkHttpMethods(url);
talkToThriftServer(url, customHeaderSize);
} catch (Exception ex) { } catch (Exception ex) {
clientSideException = ex; clientSideException = ex;
} finally { } finally {
@ -184,11 +189,19 @@ public class TestThriftHttpServer {
} }
} }
private void checkHttpMethods(String url) throws Exception {
// HTTP TRACE method should be disabled for security
// See https://www.owasp.org/index.php/Cross_Site_Tracing
HttpURLConnection conn = (HttpURLConnection) new URL(url).openConnection();
conn.setRequestMethod("TRACE");
conn.connect();
Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
}
private static volatile boolean tableCreated = false; private static volatile boolean tableCreated = false;
private void talkToThriftServer(int customHeaderSize) throws Exception { private void talkToThriftServer(String url, int customHeaderSize) throws Exception {
THttpClient httpClient = new THttpClient( THttpClient httpClient = new THttpClient(url);
"http://"+ HConstants.LOCALHOST + ":" + port);
httpClient.open(); httpClient.open();
if (customHeaderSize > 0) { if (customHeaderSize > 0) {