hive-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From aihu...@apache.org
Subject hive git commit: HIVE-17679: http-generic-click-jacking for WebHcat server (Aihua Xu reviewed by Yongzhi Chen)
Date Thu, 05 Oct 2017 22:07:00 GMT
Repository: hive
Updated Branches:
  refs/heads/master 26753ade2 -> 2902c7cc2


HIVE-17679: http-generic-click-jacking for WebHcat server (Aihua Xu reviewed by Yongzhi Chen)


Project: http://git-wip-us.apache.org/repos/asf/hive/repo
Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/2902c7cc
Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/2902c7cc
Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/2902c7cc

Branch: refs/heads/master
Commit: 2902c7cc2ab20525139cafa8c594a09fb6c499f9
Parents: 26753ad
Author: Aihua Xu <aihuaxu@apache.org>
Authored: Tue Oct 3 09:44:07 2017 -0700
Committer: Aihua Xu <aihuaxu@apache.org>
Committed: Thu Oct 5 14:59:14 2017 -0700

----------------------------------------------------------------------
 .../svr/src/main/config/webhcat-default.xml     |  8 ++++
 .../hive/hcatalog/templeton/AppConfig.java      |  1 +
 .../apache/hive/hcatalog/templeton/Main.java    | 43 ++++++++++++++++++++
 3 files changed, 52 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hive/blob/2902c7cc/hcatalog/webhcat/svr/src/main/config/webhcat-default.xml
----------------------------------------------------------------------
diff --git a/hcatalog/webhcat/svr/src/main/config/webhcat-default.xml b/hcatalog/webhcat/svr/src/main/config/webhcat-default.xml
index fa8dbf8..2de8525 100644
--- a/hcatalog/webhcat/svr/src/main/config/webhcat-default.xml
+++ b/hcatalog/webhcat/svr/src/main/config/webhcat-default.xml
@@ -371,4 +371,12 @@
         in all PUT/POST requests, and rejects requests that do not have these.
     </description>
   </property>
+    <property>
+    <name>templeton.frame.options.filter</name>
+    <value>DENY</value>
+    <description>
+        X-Frame-Options is added in HTTP response header with this value to prevent
+        clickjacking attacks. Possible values are DENY, SAMEORIGIN, ALLOW-FROM uri.
+    </description>
+  </property>
 </configuration>

http://git-wip-us.apache.org/repos/asf/hive/blob/2902c7cc/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/AppConfig.java
----------------------------------------------------------------------
diff --git a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/AppConfig.java
b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/AppConfig.java
index 0ea7d88..4232d4d 100644
--- a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/AppConfig.java
+++ b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/AppConfig.java
@@ -204,6 +204,7 @@ public class AppConfig extends Configuration {
   public static final String HIVE_EXTRA_FILES = "templeton.hive.extra.files";
 
   public static final String XSRF_FILTER_ENABLED = "templeton.xsrf.filter.enabled";
+  public static final String FRAME_OPTIONS_FILETER = "templeton.frame.options.filter";
 
   private static final Logger LOG = LoggerFactory.getLogger(AppConfig.class);
 

http://git-wip-us.apache.org/repos/asf/hive/blob/2902c7cc/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java
----------------------------------------------------------------------
diff --git a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java
b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java
index 3ed3ece..02b9db9 100644
--- a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java
+++ b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java
@@ -53,7 +53,15 @@ import org.eclipse.jetty.xml.XmlConfiguration;
 import org.slf4j.bridge.SLF4JBridgeHandler;
 
 import javax.servlet.DispatcherType;
+import javax.servlet.Filter;
+import javax.servlet.FilterChain;
+import javax.servlet.FilterConfig;
+import javax.servlet.ServletException;
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.annotation.WebFilter;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 
 /**
  * The main executable that starts up and runs the Server.
@@ -213,6 +221,8 @@ public class Main {
       LOG.warn("XSRF filter disabled");
     }
 
+    root.addFilter(makeFrameOptionFilter(), "/" + SERVLET_PATH + "/*", dispatches);
+
     // Connect Jersey
     ServletHolder h = new ServletHolder(new ServletContainer(makeJerseyConfig()));
     root.addServlet(h, "/" + SERVLET_PATH + "/*");
@@ -259,6 +269,39 @@ public class Main {
     return authFilter;
   }
 
+  public FilterHolder makeFrameOptionFilter() {
+    FilterHolder frameOptionFilter = new FilterHolder(XFrameOptionsFilter.class);
+    frameOptionFilter.setInitParameter(AppConfig.FRAME_OPTIONS_FILETER, conf.get(AppConfig.FRAME_OPTIONS_FILETER));
+    return frameOptionFilter;
+  }
+
+  public static class XFrameOptionsFilter implements Filter {
+    private final static String defaultMode = "DENY";
+
+    private String mode = null;
+
+    @Override
+    public void init(FilterConfig filterConfig) throws ServletException {
+      mode = filterConfig.getInitParameter(AppConfig.FRAME_OPTIONS_FILETER);
+      if (mode == null) {
+        mode = defaultMode;
+      }
+    }
+
+    @Override
+    public void doFilter(final ServletRequest request, final ServletResponse response, final
FilterChain chain)
+        throws IOException, ServletException {
+      final HttpServletResponse res = (HttpServletResponse) response;
+      res.setHeader("X-FRAME-OPTIONS", mode);
+      chain.doFilter(request, response);
+    }
+
+    @Override
+    public void destroy() {
+      // do nothing
+    }
+  }
+
   public PackagesResourceConfig makeJerseyConfig() {
     PackagesResourceConfig rc
       = new PackagesResourceConfig("org.apache.hive.hcatalog.templeton");


Mime
View raw message