hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Samir Ahmic (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-15122) Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings
Date Fri, 29 Jan 2016 18:16:39 GMT

    [ https://issues.apache.org/jira/browse/HBASE-15122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15123903#comment-15123903
] 

Samir Ahmic commented on HBASE-15122:
-------------------------------------

Thanks for tip [~busbey]. I'm trying to test this patch on master branch. This what i get
after running:
{code}
mvn clean package assembly:single -Dlicense.debug.print.included=true -DskipTests -X
{code}
Debugging details:
{code}
[DEBUG] Building project for commons-collections:commons-collections:jar:3.2.2:compile
[DEBUG] Adding project with groupId [commons-collections]
[ERROR] Error invoking method 'get(java.lang.Integer)' in java.util.ArrayList at META-INF/NOTICE.vm[line
275, column 22]
java.lang.reflect.InvocationTargetException
	at sun.reflect.GeneratedMethodAccessor151.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.doInvoke(UberspectImpl.java:395)
	at org.apache.velocity.util.introspection.UberspectImpl$VelMethodImpl.invoke(UberspectImpl.java:384)
	at org.apache.velocity.runtime.parser.node.ASTIndex.execute(ASTIndex.java:149)
	at org.apache.velocity.runtime.parser.node.ASTReference.execute(ASTReference.java:280)
	at org.apache.velocity.runtime.parser.node.ASTReference.evaluate(ASTReference.java:530)
	at org.apache.velocity.runtime.parser.node.ASTOrNode.evaluate(ASTOrNode.java:98)
	at org.apache.velocity.runtime.parser.node.ASTExpression.evaluate(ASTExpression.java:62)
	at org.apache.velocity.runtime.parser.node.ASTNotNode.evaluate(ASTNotNode.java:63)
	at org.apache.velocity.runtime.parser.node.ASTExpression.evaluate(ASTExpression.java:62)
	at org.apache.velocity.runtime.parser.node.ASTIfStatement.render(ASTIfStatement.java:85)
	at org.apache.velocity.runtime.parser.node.ASTBlock.render(ASTBlock.java:72)
	at org.apache.velocity.runtime.directive.Foreach.render(Foreach.java:420)
	at org.apache.velocity.runtime.parser.node.ASTDirective.render(ASTDirective.java:207)
	at org.apache.velocity.runtime.parser.node.ASTBlock.render(ASTBlock.java:72)
	at org.apache.velocity.runtime.parser.node.ASTIfStatement.render(ASTIfStatement.java:87)
	at org.apache.velocity.runtime.parser.node.SimpleNode.render(SimpleNode.java:342)
	at org.apache.velocity.Template.merge(Template.java:356)
	at org.apache.velocity.Template.merge(Template.java:260)
	at org.apache.velocity.app.VelocityEngine.mergeTemplate(VelocityEngine.java:354)
	at org.apache.maven.plugin.resources.remote.ProcessRemoteResourcesMojo.processResourceBundles(ProcessRemoteResourcesMojo.java:1164)
	at org.apache.maven.plugin.resources.remote.ProcessRemoteResourcesMojo.execute(ProcessRemoteResourcesMojo.java:520)
	at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo(DefaultBuildPluginManager.java:101)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:209)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:153)
	at org.apache.maven.lifecycle.internal.MojoExecutor.execute(MojoExecutor.java:145)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:84)
	at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject(LifecycleModuleBuilder.java:59)
	at org.apache.maven.lifecycle.internal.LifecycleStarter.singleThreadedBuild(LifecycleStarter.java:183)
	at org.apache.maven.lifecycle.internal.LifecycleStarter.execute(LifecycleStarter.java:161)
	at org.apache.maven.DefaultMaven.doExecute(DefaultMaven.java:320)
	at org.apache.maven.DefaultMaven.execute(DefaultMaven.java:156)
	at org.apache.maven.cli.MavenCli.execute(MavenCli.java:537)
	at org.apache.maven.cli.MavenCli.doMain(MavenCli.java:196)
	at org.apache.maven.cli.MavenCli.main(MavenCli.java:141)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:606)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced(Launcher.java:289)
	at org.codehaus.plexus.classworlds.launcher.Launcher.launch(Launcher.java:229)
	at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode(Launcher.java:415)
	at org.codehaus.plexus.classworlds.launcher.Launcher.main(Launcher.java:356)
Caused by: java.lang.IndexOutOfBoundsException: Index: 0, Size: 0
	at java.util.ArrayList.rangeCheck(ArrayList.java:635)
	at java.util.ArrayList.get(ArrayList.java:411)
{code}
Witch module LICENSE file should i check ?


> Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings
> ---------------------------------------------------------------------------
>
>                 Key: HBASE-15122
>                 URL: https://issues.apache.org/jira/browse/HBASE-15122
>             Project: HBase
>          Issue Type: Bug
>            Reporter: stack
>            Priority: Critical
>         Attachments: HBASE-15122.patch
>
>
> In our JMXJsonServlet we are doing this:
>         jsonpcb = request.getParameter(CALLBACK_PARAM);
>         if (jsonpcb != null) {
>           response.setContentType("application/javascript; charset=utf8");
>           writer.write(jsonpcb + "(");
> ... 
> Findbugs complains rightly. There are other instances in our servlets and then there
are the pages generated by jamon excluded from findbugs checking (and findbugs volunteers
that it is dumb in this regard finding only the most egregious of violations).
> We have no sanitizing tooling in hbase that I know of (correct me if I am wrong). I started
to pull on this thread and it runs deep. Our Jamon templating (last updated in 2013 and before
that, in 2011) engine doesn't seem to have sanitizing means either and there seems to be outstanding
XSS complaint against jamon that goes unaddressed.
> Could pull in something like https://www.owasp.org/index.php/OWASP_Java_Encoder_Project
and run all emissions via it or get a templating engine that has sanitizing built in. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message