hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Mackrory (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HBASE-15946) Eliminate possible security concerns in RS web UI's store file metrics
Date Thu, 02 Jun 2016 20:29:59 GMT

     [ https://issues.apache.org/jira/browse/HBASE-15946?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Sean Mackrory updated HBASE-15946:
    Attachment: HBASE-15946-v1.patch

I want to do a bit more testing on this patch and clean up a few things, but here's the basic

This adds a couple of things to the public interface of HFilePrettyPrinter to make it usable
directly from storeFile.jsp. It also validates that the file is in HBase's root dir, which
brings with it some caveats I want to make sure are safe:
* It can be a fully qualified URL (e.g. hdfs://namenode:8020/hbase), relative to the filesystem
in hbase.rootdir or fs.defaultFS. This is how the RS Web UI will pass it in. If we need to
tolerate different hostnames or addresses that would resolve to the same filesystem, this
validation needs to get a lot more complex.
* It can be an absolute path in the same filesystem. This makes more sense for CLI usage.
* It can't be a relative URL. I can't think of how this could reasonably end up  getting provided.
If it would be relative to the the hbase rootdir, we can easily verify that the file is there.
If it would be relative to something else, that would need to be handled.

Also need to be careful here about cases where /hbase is the root but /hbaseXYZ exists, since
I'm just appending strings and checking that the beginning is the same. If the relative path
XYZ was provided, the string would indeed begin with HBase root.

> Eliminate possible security concerns in RS web UI's store file metrics
> ----------------------------------------------------------------------
>                 Key: HBASE-15946
>                 URL: https://issues.apache.org/jira/browse/HBASE-15946
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Sean Mackrory
>            Assignee: Mikhail Antonov
>         Attachments: HBASE-15946-v1.patch
> More from static code analysis: it warns about the invoking of a separate command ("hbase
hfile -s -f ...") as a possible security issue in hbase-server/src/main/resources/hbase-webapps/regionserver/storeFile.jsp.
> It looks to me like one cannot inject arbitrary shell script or even arbitrary arguments:
ProcessBuilder makes that fairly safe and only allows the user to specify the argument that
comes after -f. However that does potentially allow them to have the daemon's user access
files they shouldn't be able to touch, albeit only for reading.
> To more explicitly eliminate any threats here, we should add some validation that the
file is at least within HBase's root directory and use the Java API directly instead of invoking
a separate executable.

This message was sent by Atlassian JIRA

View raw message