Return-Path: X-Original-To: apmail-hbase-issues-archive@www.apache.org Delivered-To: apmail-hbase-issues-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6ECFF188E4 for ; Wed, 3 Feb 2016 14:59:46 +0000 (UTC) Received: (qmail 30339 invoked by uid 500); 3 Feb 2016 14:59:40 -0000 Delivered-To: apmail-hbase-issues-archive@hbase.apache.org Received: (qmail 30286 invoked by uid 500); 3 Feb 2016 14:59:40 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 30261 invoked by uid 99); 3 Feb 2016 14:59:39 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Feb 2016 14:59:39 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id C4DD02C14F7 for ; Wed, 3 Feb 2016 14:59:39 +0000 (UTC) Date: Wed, 3 Feb 2016 14:59:39 +0000 (UTC) From: "Samir Ahmic (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HBASE-15122) Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HBASE-15122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15130521#comment-15130521 ] Samir Ahmic commented on HBASE-15122: ------------------------------------- I have seen TestRegionMergeTransactionOnCluster failing recently. > Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings > --------------------------------------------------------------------------- > > Key: HBASE-15122 > URL: https://issues.apache.org/jira/browse/HBASE-15122 > Project: HBase > Issue Type: Bug > Reporter: stack > Priority: Critical > Attachments: HBASE-15122-v0-master, HBASE-15122.patch, HBASE-15122_v1.patch, HBASE-15122_v2.patch > > > In our JMXJsonServlet we are doing this: > jsonpcb = request.getParameter(CALLBACK_PARAM); > if (jsonpcb != null) { > response.setContentType("application/javascript; charset=utf8"); > writer.write(jsonpcb + "("); > ... > Findbugs complains rightly. There are other instances in our servlets and then there are the pages generated by jamon excluded from findbugs checking (and findbugs volunteers that it is dumb in this regard finding only the most egregious of violations). > We have no sanitizing tooling in hbase that I know of (correct me if I am wrong). I started to pull on this thread and it runs deep. Our Jamon templating (last updated in 2013 and before that, in 2011) engine doesn't seem to have sanitizing means either and there seems to be outstanding XSS complaint against jamon that goes unaddressed. > Could pull in something like https://www.owasp.org/index.php/OWASP_Java_Encoder_Project and run all emissions via it or get a templating engine that has sanitizing built in. -- This message was sent by Atlassian JIRA (v6.3.4#6332)