Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 43885200B43 for ; Wed, 8 Jun 2016 04:13:23 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 422D7160A5B; Wed, 8 Jun 2016 02:13:23 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 89949160A4F for ; Wed, 8 Jun 2016 04:13:22 +0200 (CEST) Received: (qmail 14563 invoked by uid 500); 8 Jun 2016 02:13:21 -0000 Mailing-List: contact issues-help@hbase.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Delivered-To: mailing list issues@hbase.apache.org Received: (qmail 14305 invoked by uid 99); 8 Jun 2016 02:13:21 -0000 Received: from arcas.apache.org (HELO arcas) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 08 Jun 2016 02:13:21 +0000 Received: from arcas.apache.org (localhost [127.0.0.1]) by arcas (Postfix) with ESMTP id 4ACAC2C1F73 for ; Wed, 8 Jun 2016 02:13:21 +0000 (UTC) Date: Wed, 8 Jun 2016 02:13:21 +0000 (UTC) From: "Enis Soztutar (JIRA)" To: issues@hbase.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (HBASE-15946) Eliminate possible security concerns in RS web UI's store file metrics MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Wed, 08 Jun 2016 02:13:23 -0000 [ https://issues.apache.org/jira/browse/HBASE-15946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15319865#comment-15319865 ] Enis Soztutar commented on HBASE-15946: --------------------------------------- +1. > Eliminate possible security concerns in RS web UI's store file metrics > ---------------------------------------------------------------------- > > Key: HBASE-15946 > URL: https://issues.apache.org/jira/browse/HBASE-15946 > Project: HBase > Issue Type: Bug > Affects Versions: 1.3.0, 1.2.1 > Reporter: Sean Mackrory > Assignee: Mikhail Antonov > Fix For: 1.3.0, 1.2.2 > > Attachments: HBASE-15946-v1.patch, HBASE-15946-v2.patch, HBASE-15946-v3.patch > > > More from static code analysis: it warns about the invoking of a separate command ("hbase hfile -s -f ...") as a possible security issue in hbase-server/src/main/resources/hbase-webapps/regionserver/storeFile.jsp. > It looks to me like one cannot inject arbitrary shell script or even arbitrary arguments: ProcessBuilder makes that fairly safe and only allows the user to specify the argument that comes after -f. However that does potentially allow them to have the daemon's user access files they shouldn't be able to touch, albeit only for reading. > To more explicitly eliminate any threats here, we should add some validation that the file is at least within HBase's root directory and use the Java API directly instead of invoking a separate executable. -- This message was sent by Atlassian JIRA (v6.3.4#6332)