Return-Path: X-Original-To: apmail-hbase-issues-archive@www.apache.org Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A329F184F9 for ; Wed, 3 Feb 2016 13:45:49 +0000 (UTC) Received: (qmail 6614 invoked by uid 500); 3 Feb 2016 13:45:40 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 6563 invoked by uid 500); 3 Feb 2016 13:45:40 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 6549 invoked by uid 99); 3 Feb 2016 13:45:40 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Feb 2016 13:45:40 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id D9A172C14F7 for ; Wed, 3 Feb 2016 13:45:39 +0000 (UTC) Date: Wed, 3 Feb 2016 13:45:39 +0000 (UTC) From: "Hadoop QA (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HBASE-15122) Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HBASE-15122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15130404#comment-15130404 ] Hadoop QA commented on HBASE-15122: ----------------------------------- | (x) *{color:red}-1 overall{color}* | \\ \\ || Vote || Subsystem || Runtime || Comment || | {color:blue}0{color} | {color:blue} reexec {color} | {color:blue} 0m 0s {color} | {color:blue} Docker mode activated. {color} | | {color:green}+1{color} | {color:green} hbaseanti {color} | {color:green} 0m 0s {color} | {color:green} Patch does not have any anti-patterns. {color} | | {color:green}+1{color} | {color:green} @author {color} | {color:green} 0m 0s {color} | {color:green} The patch does not contain any @author tags. {color} | | {color:green}+1{color} | {color:green} test4tests {color} | {color:green} 0m 0s {color} | {color:green} The patch appears to include 2 new or modified test files. {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 2m 36s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 37s {color} | {color:green} master passed with JDK v1.8.0_72 {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 41s {color} | {color:green} master passed with JDK v1.7.0_91 {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 4m 4s {color} | {color:green} master passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 25s {color} | {color:green} master passed {color} | | {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 0m 8s {color} | {color:red} branch/hbase-resource-bundle no findbugs output file (hbase-resource-bundle/target/findbugsXml.xml) {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 30s {color} | {color:green} master passed with JDK v1.8.0_72 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 40s {color} | {color:green} master passed with JDK v1.7.0_91 {color} | | {color:green}+1{color} | {color:green} mvninstall {color} | {color:green} 0m 53s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 36s {color} | {color:green} the patch passed with JDK v1.8.0_72 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 36s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} compile {color} | {color:green} 0m 40s {color} | {color:green} the patch passed with JDK v1.7.0_91 {color} | | {color:green}+1{color} | {color:green} javac {color} | {color:green} 0m 40s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} checkstyle {color} | {color:green} 4m 25s {color} | {color:green} the patch passed {color} | | {color:green}+1{color} | {color:green} mvneclipse {color} | {color:green} 0m 24s {color} | {color:green} the patch passed {color} | | {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m 0s {color} | {color:red} The patch has 8 line(s) that end in whitespace. Use git apply --whitespace=fix. {color} | | {color:red}-1{color} | {color:red} whitespace {color} | {color:red} 0m 0s {color} | {color:red} The patch has 62 line(s) with tabs. {color} | | {color:green}+1{color} | {color:green} xml {color} | {color:green} 0m 1s {color} | {color:green} The patch has no ill-formed XML file. {color} | | {color:green}+1{color} | {color:green} hadoopcheck {color} | {color:green} 21m 42s {color} | {color:green} Patch does not cause any errors with Hadoop 2.4.0 2.4.1 2.5.0 2.5.1 2.5.2 2.6.1 2.6.2 2.6.3 2.7.1. {color} | | {color:red}-1{color} | {color:red} findbugs {color} | {color:red} 0m 9s {color} | {color:red} patch/hbase-resource-bundle no findbugs output file (hbase-resource-bundle/target/findbugsXml.xml) {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 30s {color} | {color:green} the patch passed with JDK v1.8.0_72 {color} | | {color:green}+1{color} | {color:green} javadoc {color} | {color:green} 0m 40s {color} | {color:green} the patch passed with JDK v1.7.0_91 {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 6s {color} | {color:green} hbase-resource-bundle in the patch passed with JDK v1.8.0_72. {color} | | {color:red}-1{color} | {color:red} unit {color} | {color:red} 81m 56s {color} | {color:red} hbase-server in the patch failed with JDK v1.8.0_72. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 0m 17s {color} | {color:green} hbase-resource-bundle in the patch passed with JDK v1.7.0_91. {color} | | {color:green}+1{color} | {color:green} unit {color} | {color:green} 79m 37s {color} | {color:green} hbase-server in the patch passed with JDK v1.7.0_91. {color} | | {color:red}-1{color} | {color:red} asflicense {color} | {color:red} 0m 30s {color} | {color:red} Patch generated 2 ASF License warnings. {color} | | {color:black}{color} | {color:black} {color} | {color:black} 206m 32s {color} | {color:black} {color} | \\ \\ || Reason || Tests || | JDK v1.8.0_72 Timed out junit tests | org.apache.hadoop.hbase.regionserver.TestRegionMergeTransactionOnCluster | \\ \\ || Subsystem || Report/Notes || | Docker | Client=1.9.1 Server=1.9.1 Image:yetus/hbase:date2016-02-03 | | JIRA Patch URL | https://issues.apache.org/jira/secure/attachment/12785999/HBASE-15122_v2.patch | | JIRA Issue | HBASE-15122 | | Optional Tests | asflicense javac javadoc unit xml compile findbugs hadoopcheck hbaseanti checkstyle | | uname | Linux c91c5b75c17b 3.13.0-36-lowlatency #63-Ubuntu SMP PREEMPT Wed Sep 3 21:56:12 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | /home/jenkins/jenkins-slave/workspace/PreCommit-HBASE-Build/component/dev-support/hbase-personality.sh | | git revision | master / 2f57673 | | findbugs | v3.0.0 | | whitespace | https://builds.apache.org/job/PreCommit-HBASE-Build/414/artifact/patchprocess/whitespace-eol.txt | | whitespace | https://builds.apache.org/job/PreCommit-HBASE-Build/414/artifact/patchprocess/whitespace-tabs.txt | | unit | https://builds.apache.org/job/PreCommit-HBASE-Build/414/artifact/patchprocess/patch-unit-hbase-server-jdk1.8.0_72.txt | | unit test logs | https://builds.apache.org/job/PreCommit-HBASE-Build/414/artifact/patchprocess/patch-unit-hbase-server-jdk1.8.0_72.txt | | JDK v1.7.0_91 Test Results | https://builds.apache.org/job/PreCommit-HBASE-Build/414/testReport/ | | asflicense | https://builds.apache.org/job/PreCommit-HBASE-Build/414/artifact/patchprocess/patch-asflicense-problems.txt | | modules | C: hbase-resource-bundle hbase-server U: . | | Max memory used | 176MB | | Powered by | Apache Yetus 0.1.0 http://yetus.apache.org | | Console output | https://builds.apache.org/job/PreCommit-HBASE-Build/414/console | This message was automatically generated. > Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings > --------------------------------------------------------------------------- > > Key: HBASE-15122 > URL: https://issues.apache.org/jira/browse/HBASE-15122 > Project: HBase > Issue Type: Bug > Reporter: stack > Priority: Critical > Attachments: HBASE-15122-v0-master, HBASE-15122.patch, HBASE-15122_v1.patch, HBASE-15122_v2.patch > > > In our JMXJsonServlet we are doing this: > jsonpcb = request.getParameter(CALLBACK_PARAM); > if (jsonpcb != null) { > response.setContentType("application/javascript; charset=utf8"); > writer.write(jsonpcb + "("); > ... > Findbugs complains rightly. There are other instances in our servlets and then there are the pages generated by jamon excluded from findbugs checking (and findbugs volunteers that it is dumb in this regard finding only the most egregious of violations). > We have no sanitizing tooling in hbase that I know of (correct me if I am wrong). I started to pull on this thread and it runs deep. Our Jamon templating (last updated in 2013 and before that, in 2011) engine doesn't seem to have sanitizing means either and there seems to be outstanding XSS complaint against jamon that goes unaddressed. > Could pull in something like https://www.owasp.org/index.php/OWASP_Java_Encoder_Project and run all emissions via it or get a templating engine that has sanitizing built in. -- This message was sent by Atlassian JIRA (v6.3.4#6332)