hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wei-Chiu Chuang (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-20339) A potential security issue in org.apache.hadoop.hbase.http.log.LogLevel.java
Date Wed, 04 Apr 2018 08:23:00 GMT

    [ https://issues.apache.org/jira/browse/HBASE-20339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16425161#comment-16425161

Wei-Chiu Chuang commented on HBASE-20339:

Thanks for raising the issue. LogLevel is a HttpServer based sevlet. It includes the QuotingInputFilter
to defend against cross site scripting like this.

I've also verified on a HBase2 cluster that this is true, and entering anything will be HTML

Note: LogLevel.java was copied from the Hadoop project. So you'd likely get the same false
positives when you scan for the Hadoop code. Please do not raise a new HADOOP issue for the
same, as I've also verified the same for Hadoop.

> A potential security issue in org.apache.hadoop.hbase.http.log.LogLevel.java
> ----------------------------------------------------------------------------
>                 Key: HBASE-20339
>                 URL: https://issues.apache.org/jira/browse/HBASE-20339
>             Project: HBase
>          Issue Type: Bug
>          Components: hbase
>    Affects Versions: 2.0.0-beta-2
>            Reporter: andy zhou
>            Priority: Major
> Our program analyzer has detected a potential security issue as follows 
> {code:java}
> PrintWriter out = ServletUtil.initHTML(response, "Log Level");
> String logName = ServletUtil.getParameter(request, "log");
> String level = ServletUtil.getParameter(request, "level");
> if (logName != null) {
>    out.println("<br /><hr /><h3>Results</h3>");
>    out.println(MARKER
>         + "Submitted Log Name: <b>" + logName + "</b><br />");
>   ...
> }{code}
> Above is the code piece. Seems that the log name is directly collected from the web request,
and only whether the data is null is checked. So an attacker may provide a "logName" with
a piece of injected code, leading to cross-site attacks. And besides, the variable "level"
may also have such vulnerability.
> (org.apache.hadoop.hbase.http.log.LogLevel.java Line 111/118)
> Linkage to the code is here:
> [https://github.com/apache/hbase/blob/9e9b347d667e1fc6165c9f8ae5ae7052147e8895/hbase-http/src/main/java/org/apache/hadoop/hbase/http/log/LogLevel.java#L111]
> SourceBrella inc.

This message was sent by Atlassian JIRA

View raw message