hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Mackrory (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HBASE-15946) Eliminate possible security concerns in RS web UI's store file metrics
Date Thu, 02 Jun 2016 19:06:59 GMT
Sean Mackrory created HBASE-15946:
-------------------------------------

             Summary: Eliminate possible security concerns in RS web UI's store file metrics
                 Key: HBASE-15946
                 URL: https://issues.apache.org/jira/browse/HBASE-15946
             Project: HBase
          Issue Type: Bug
            Reporter: Sean Mackrory


More from static code analysis: it warns about the invoking of a separate command ("hbase
hfile -s -f ...") as a possible security issue in hbase-server/src/main/resources/hbase-webapps/regionserver/storeFile.jsp.

It looks to me like one cannot inject arbitrary shell script or even arbitrary arguments:
ProcessBuilder makes that fairly safe and only allows the user to specify the argument that
comes after -f. However that does potentially allow them to have the daemon's user access
files they shouldn't be able to touch, albeit only for reading.

To more explicitly eliminate any threats here, we should add some validation that the file
is at least within HBase's root directory and use the Java API directly instead of invoking
a separate executable.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message