hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "stack (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-15122) Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings
Date Sun, 17 Jan 2016 07:03:39 GMT

    [ https://issues.apache.org/jira/browse/HBASE-15122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15103624#comment-15103624

stack commented on HBASE-15122:

Excellent. I like the way you add tooling so we can address this stuff going forward.

[~apurtell] (or [~busbey]/[~enis]) Any input? We are probably susceptible in a million places.
This is the one place found by FB. It says that if it is finding XSS, then very likely there
is much more to be found (other tooling that looks for XSS will turn up instances. Our templating
system is dumb (and old). Has no facility for sanitizing against XSS. Failing that, this lib
introduced in this patch gives us ammo going forward.

> Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings
> ---------------------------------------------------------------------------
>                 Key: HBASE-15122
>                 URL: https://issues.apache.org/jira/browse/HBASE-15122
>             Project: HBase
>          Issue Type: Bug
>            Reporter: stack
>            Priority: Critical
>         Attachments: HBASE-15122.patch
> In our JMXJsonServlet we are doing this:
>         jsonpcb = request.getParameter(CALLBACK_PARAM);
>         if (jsonpcb != null) {
>           response.setContentType("application/javascript; charset=utf8");
>           writer.write(jsonpcb + "(");
> ... 
> Findbugs complains rightly. There are other instances in our servlets and then there
are the pages generated by jamon excluded from findbugs checking (and findbugs volunteers
that it is dumb in this regard finding only the most egregious of violations).
> We have no sanitizing tooling in hbase that I know of (correct me if I am wrong). I started
to pull on this thread and it runs deep. Our Jamon templating (last updated in 2013 and before
that, in 2011) engine doesn't seem to have sanitizing means either and there seems to be outstanding
XSS complaint against jamon that goes unaddressed.
> Could pull in something like https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
and run all emissions via it or get a templating engine that has sanitizing built in. 

This message was sent by Atlassian JIRA

View raw message