hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "stack (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-15187) Integrate CSRF prevention filter to REST gateway
Date Wed, 24 Feb 2016 16:25:18 GMT

    [ https://issues.apache.org/jira/browse/HBASE-15187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15163277#comment-15163277

stack commented on HBASE-15187:

Answer my questions [~ted_yu] please. They are simple enough. I think I know what the answers
are but am asking you since you are the one hauling in the patch.

I started reading your citations but it just made me want to ask more questions (Chris describes
NN attack which made me wonder what the equivalent CSRF attack vector in hbase would look
like -- do you know? Stick it in the description if you do... the design doc talks about REST
but why are our other servlets not also vulnerable -- the OWASP page you cite doesn't say
anything about REST-only?)

The pointer to HBASE-15122 is immediately about XSS but I was referring to the fact that it
pulls in the OWASP library which seems well conversant with CSRF attacks (going by the page
you cite). I mentioned HBASE-15122 because I was wondering  the OWASP library has tooling
to help with CSRF (It seems like no magic bullet, just a bunch of policy to be applied --
but I was asking you).

> Integrate CSRF prevention filter to REST gateway
> ------------------------------------------------
>                 Key: HBASE-15187
>                 URL: https://issues.apache.org/jira/browse/HBASE-15187
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Ted Yu
>            Assignee: Ted Yu
>         Attachments: HBASE-15187.v1.patch, HBASE-15187.v2.patch, HBASE-15187.v3.patch,
HBASE-15187.v4.patch, HBASE-15187.v5.patch, HBASE-15187.v6.patch, HBASE-15187.v7.patch, HBASE-15187.v8.patch
> HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard against cross-site
request forgery attacks.
> This issue tracks the integration of that filter into HBase REST gateway.

This message was sent by Atlassian JIRA

View raw message