ambari-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Szilard Antal (Jira)" <j...@apache.org>
Subject [jira] [Assigned] (AMBARI-25353) Seeing an error stack when running an API call against Ambari server
Date Mon, 02 Mar 2020 11:16:00 GMT

     [ https://issues.apache.org/jira/browse/AMBARI-25353?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Szilard Antal reassigned AMBARI-25353:
--------------------------------------

    Assignee: Szilard Antal

> Seeing an error stack when running an API call against Ambari server
> --------------------------------------------------------------------
>
>                 Key: AMBARI-25353
>                 URL: https://issues.apache.org/jira/browse/AMBARI-25353
>             Project: Ambari
>          Issue Type: Bug
>          Components: ambari-server
>            Reporter: Saurabh Lambe
>            Assignee: Szilard Antal
>            Priority: Major
>              Labels: security
>
> If an API call responds with stack traces that are not managed it could reveal information
useful to attackers. This information could then be used in further attacks. Providing debugging
information as a result of operations that generate errors is considered a bad practice due
to multiple reasons. For example, it may contain information on internal workings of the application
such as relative paths of the point where the application is installed or how objects are
referenced internally
> When a runtime error occurs during request processing, server will display debugging
information to the requestor. Ideally, such debug information be withheld from the requestor.
> More on the security threat:
> [CWE-209: Information Exposure Through an Error Message|https://cwe.mitre.org/data/definitions/209.html]
> [Improper Error Handling|https://www.owasp.org/index.php/Improper_Error_Handling]
>  I see the following error stack when I run an Ambari API call:
> {code:java}
> # curl -X GET -u admin:admin "http://<ambari-host>:8080/api/v1/security/userlist/q;%"
> HTTP ERROR 500
> Problem accessing /api/v1/security/userlist/q;%. Reason:
>     Server Error
> Caused by:
> org.springframework.security.web.firewall.RequestRejectedException: The request was rejected
because the URL contained a potentially malicious String ";"
> 	at org.springframework.security.web.firewall.StrictHttpFirewall.rejectedBlacklistedUrls(StrictHttpFirewall.java:265)
> 	at org.springframework.security.web.firewall.StrictHttpFirewall.getFirewalledRequest(StrictHttpFirewall.java:245)
> 	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:193)
> 	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
> 	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
> 	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
> 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> 	at org.apache.ambari.server.api.MethodOverrideFilter.doFilter(MethodOverrideFilter.java:73)
> 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> 	at org.apache.ambari.server.api.AmbariPersistFilter.doFilter(AmbariPersistFilter.java:53)
> 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> 	at org.apache.ambari.server.security.AbstractSecurityHeaderFilter.doFilter(AbstractSecurityHeaderFilter.java:130)
> 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> 	at org.eclipse.jetty.servlets.GzipFilter.doFilter(GzipFilter.java:51)
> 	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642)
> 	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533)
> 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:146)
> 	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
> 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> 	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:257)
> 	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595)
> 	at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
> 	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340)
> 	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
> 	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473)
> 	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564)
> 	at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
> 	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242)
> 	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
> 	at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:740)
> 	at org.apache.ambari.server.controller.AmbariHandlerList.processHandlers(AmbariHandlerList.java:221)
> 	at org.apache.ambari.server.controller.AmbariHandlerList.processHandlers(AmbariHandlerList.java:210)
> 	at org.apache.ambari.server.controller.AmbariHandlerList.handle(AmbariHandlerList.java:140)
> 	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
> 	at org.eclipse.jetty.server.Server.handle(Server.java:503)
> 	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
> 	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
> 	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
> 	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
> 	at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
> 	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
> 	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
> 	at java.lang.Thread.run(Thread.java:745)
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message