hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-15946) Eliminate possible security concerns in RS web UI's store file metrics
Date Fri, 10 Jun 2016 06:24:20 GMT

    [ https://issues.apache.org/jira/browse/HBASE-15946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15323949#comment-15323949
] 

Hudson commented on HBASE-15946:
--------------------------------

SUCCESS: Integrated in HBase-1.3 #732 (See [https://builds.apache.org/job/HBase-1.3/732/])
HBASE-15946 Eliminate possible security concerns in RS web UI's store (antonov: rev d8d63d67152af8eed48f8863a0e13d3e71fc097c)
* hbase-server/src/main/resources/hbase-webapps/regionserver/storeFile.jsp
* hbase-server/src/main/java/org/apache/hadoop/hbase/io/hfile/HFilePrettyPrinter.java


> Eliminate possible security concerns in RS web UI's store file metrics
> ----------------------------------------------------------------------
>
>                 Key: HBASE-15946
>                 URL: https://issues.apache.org/jira/browse/HBASE-15946
>             Project: HBase
>          Issue Type: Bug
>    Affects Versions: 1.3.0, 1.2.1
>            Reporter: Sean Mackrory
>            Assignee: Sean Mackrory
>             Fix For: 1.3.0, 1.2.2
>
>         Attachments: HBASE-15946-branch-1.3-mantonov.diff, HBASE-15946-v1.patch, HBASE-15946-v2.patch,
HBASE-15946-v3.patch
>
>
> More from static code analysis: it warns about the invoking of a separate command ("hbase
hfile -s -f ...") as a possible security issue in hbase-server/src/main/resources/hbase-webapps/regionserver/storeFile.jsp.
> It looks to me like one cannot inject arbitrary shell script or even arbitrary arguments:
ProcessBuilder makes that fairly safe and only allows the user to specify the argument that
comes after -f. However that does potentially allow them to have the daemon's user access
files they shouldn't be able to touch, albeit only for reading.
> To more explicitly eliminate any threats here, we should add some validation that the
file is at least within HBase's root directory and use the Java API directly instead of invoking
a separate executable.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message