This is an automated email from the ASF dual-hosted git repository. dlych pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/asterixdb.git
commit 95662c4bce6719f7a9156e21ab17bccd11c55e68 Author: Ian Maxon <[email protected]> AuthorDate: Sat Apr 10 13:18:05 2021 -0700 [NO ISSUE] Restrict UDF modification Change-Id: I2cc23138793ae562cfa42c841b3bc4202391d9a1 Reviewed-on: https://asterix-gerrit.ics.uci.edu/c/asterixdb/+/11003 Integration-Tests: Jenkins <[email protected]> Tested-by: Jenkins <[email protected]> Reviewed-by: Ian Maxon <[email protected]> Reviewed-by: Till Westmann <[email protected]> --- .../asterix/api/http/server/NCUdfApiServlet.java | 33 ++++++++++++++++++++-- .../apache/asterix/test/common/TestExecutor.java | 17 +++++++++++ 2 files changed, 47 insertions(+), 3 deletions(-) diff --git a/asterixdb/asterix-app/src/main/java/org/apache/asterix/api/http/server/NCUdfApiServlet.java b/asterixdb/asterix-app/src/main/java/org/apache/asterix/api/http/server/NCUdfApiServlet.java index fec0b38..9efb6f8 100644 --- a/asterixdb/asterix-app/src/main/java/org/apache/asterix/api/http/server/NCUdfApiServlet.java +++ b/asterixdb/asterix-app/src/main/java/org/apache/asterix/api/http/server/NCUdfApiServlet.java @@ -20,13 +20,13 @@ package org.apache.asterix.api.http.server; import static org.apache.asterix.api.http.server.ServletConstants.SYS_AUTH_HEADER; import static org.apache.asterix.common.library.LibraryDescriptor.FIELD_HASH; -import static org.apache.hyracks.api.exceptions.IFormattedException.getError; import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; import java.io.OutputStream; import java.io.PrintWriter; +import java.net.InetAddress; import java.net.URI; import java.nio.file.Files; import java.nio.file.Path; @@ -295,14 +295,41 @@ public class NCUdfApiServlet extends AbstractNCUdfServlet { responseWriter.flush(); } + protected boolean isRequestPermittedForWrite(IServletRequest request, IServletResponse response) { + if (!isRequestOnLoopback(request)) { + rejectForbidden(response); + return false; + } + return true; + } + + protected boolean isRequestOnLoopback(IServletRequest request) { + if (request.getLocalAddress() != null && request.getRemoteAddress() != null) { + InetAddress local = request.getLocalAddress().getAddress(); + InetAddress remote = request.getRemoteAddress().getAddress(); + return remote.isLoopbackAddress() && local.isLoopbackAddress(); + } else { + return false; + } + } + + protected static void rejectForbidden(IServletResponse response) { + response.setStatus(HttpResponseStatus.FORBIDDEN); + response.writer().write("{ \"error\": \"Forbidden\" }"); + } + @Override protected void post(IServletRequest request, IServletResponse response) { - handleModification(request, response, LibraryOperation.UPSERT); + if (isRequestPermittedForWrite(request, response)) { + handleModification(request, response, LibraryOperation.UPSERT); + } } @Override protected void delete(IServletRequest request, IServletResponse response) { - handleModification(request, response, LibraryOperation.DELETE); + if (isRequestPermittedForWrite(request, response)) { + handleModification(request, response, LibraryOperation.DELETE); + } } } diff --git a/asterixdb/asterix-app/src/test/java/org/apache/asterix/test/common/TestExecutor.java b/asterixdb/asterix-app/src/test/java/org/apache/asterix/test/common/TestExecutor.java index f347b77..28b7fb3 100644 --- a/asterixdb/asterix-app/src/test/java/org/apache/asterix/test/common/TestExecutor.java +++ b/asterixdb/asterix-app/src/test/java/org/apache/asterix/test/common/TestExecutor.java @@ -2471,6 +2471,23 @@ public class TestExecutor { + cUnit.getName() + "_qbc.adm"); } + protected URI createLocalOnlyEndpointURI(String pathAndQuery) throws URISyntaxException { + InetSocketAddress endpoint; + if (!ncEndPointsList.isEmpty() && (pathAndQuery.equals(Servlets.QUERY_SERVICE) + || pathAndQuery.startsWith(Servlets.getAbsolutePath(Servlets.UDF)))) { + int endpointIdx = Math.abs(endpointSelector++ % ncEndPointsList.size()); + endpoint = ncEndPointsList.get(endpointIdx); + } else if (isCcEndPointPath(pathAndQuery)) { + int endpointIdx = Math.abs(endpointSelector++ % endpoints.size()); + endpoint = endpoints.get(endpointIdx); + } else { + throw new IllegalArgumentException("Invalid local endpoint format"); + } + URI uri = URI.create("http://"; + toHostPort("localhost", endpoint.getPort()) + pathAndQuery); + LOGGER.debug("Created endpoint URI: " + uri); + return uri; + } + protected URI createEndpointURI(String pathAndQuery) throws URISyntaxException { InetSocketAddress endpoint; if (!ncEndPointsList.isEmpty() && (pathAndQuery.equals(Servlets.QUERY_SERVICE)
