This is an automated email from the ASF dual-hosted git repository.
krisztiankasa pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/hive.git
The following commit(s) were added to refs/heads/master by this push:
new 174ac6215a2 HIVE-28653: Jetty version disclosure in Hive (#5800)
174ac6215a2 is described below
commit 174ac6215a2b70c655d3dcfed3dc0001ecb97b9b
Author: Krisztian Kasa <[email protected]>
AuthorDate: Wed May 7 08:25:47 2025 +0200
HIVE-28653: Jetty version disclosure in Hive (#5800)
---
.../src/java/org/apache/hive/http/HttpServer.java | 2 +
.../org/apache/hive/hcatalog/templeton/Main.java | 2 +
.../org/apache/hive/service/TestHttpServices.java | 93 ++++++++++++++++++++++
.../service/cli/thrift/ThriftHttpCLIService.java | 2 +
.../hadoop/hive/metastore/HiveMetaStore.java | 2 +
5 files changed, 101 insertions(+)
diff --git a/common/src/java/org/apache/hive/http/HttpServer.java
b/common/src/java/org/apache/hive/http/HttpServer.java
index 0499f16e305..06aa473ac18 100644
--- a/common/src/java/org/apache/hive/http/HttpServer.java
+++ b/common/src/java/org/apache/hive/http/HttpServer.java
@@ -652,6 +652,8 @@ ServerConnector createAndAddChannelConnector(int queueSize,
Builder b) {
final HttpConfiguration conf = new HttpConfiguration();
conf.setRequestHeaderSize(1024*64);
+ conf.setSendServerVersion(false);
+ conf.setSendXPoweredBy(false);
final HttpConnectionFactory http = new HttpConnectionFactory(conf);
if (!b.useSSL) {
diff --git
a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java
b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java
index 751120d8dc8..1573187741d 100644
---
a/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java
+++
b/hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java
@@ -282,6 +282,8 @@ private Connector createChannelConnector(Server server) {
ServerConnector connector;
final HttpConfiguration httpConf = new HttpConfiguration();
httpConf.setRequestHeaderSize(1024 * 64);
+ httpConf.setSendServerVersion(false);
+ httpConf.setSendXPoweredBy(false);
final HttpConnectionFactory http = new HttpConnectionFactory(httpConf);
if (conf.getBoolean(AppConfig.USE_SSL, false)) {
diff --git
a/itests/hive-unit/src/test/java/org/apache/hive/service/TestHttpServices.java
b/itests/hive-unit/src/test/java/org/apache/hive/service/TestHttpServices.java
new file mode 100644
index 00000000000..9aa0e260f15
--- /dev/null
+++
b/itests/hive-unit/src/test/java/org/apache/hive/service/TestHttpServices.java
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.service;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.metastore.conf.MetastoreConf;
+import org.apache.hc.client5.http.classic.methods.HttpGet;
+import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
+import org.apache.hc.client5.http.impl.classic.CloseableHttpResponse;
+import org.apache.hc.client5.http.impl.classic.HttpClients;
+import org.apache.hc.core5.http.Header;
+import org.apache.hive.jdbc.miniHS2.MiniHS2;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.util.HashMap;
+
+public class TestHttpServices {
+
+ private static MiniHS2 miniHS2 = null;
+
+ @BeforeClass
+ public static void startServices() throws Exception {
+ HiveConf hiveConf = new HiveConf();
+ hiveConf.set(MetastoreConf.ConfVars.THRIFT_TRANSPORT_MODE.toString(),
"http"); // HS2 -> HMS thrift on http
+
+ miniHS2 = new MiniHS2.Builder()
+ .withConf(hiveConf)
+ .withHTTPTransport() // Cli service -> HS2 thrift on http
+ .withRemoteMetastore()
+ .build();
+
+ miniHS2.start(new HashMap<>());
+ }
+
+ @AfterClass
+ public static void stopServices() {
+ if (miniHS2 != null && miniHS2.isStarted()) {
+ miniHS2.stop();
+ }
+ }
+
+ @Test
+ public void testWebUIResponseDoesNotContainServerVersionAndXPoweredBy()
throws Exception {
+ testHttpServiceDoesNotContainServerVersionAndXPoweredBy(
+ "http://"; + miniHS2.getHost() + ":" + miniHS2.getWebPort());
+ }
+
+ @Test
+ public void testCliServiceResponseDoesNotContainServerVersionAndXPoweredBy()
throws Exception {
+ testHttpServiceDoesNotContainServerVersionAndXPoweredBy(
+ "http://"; + miniHS2.getHost() + ":" + miniHS2.getWebPort() +
"/cliservice");
+ }
+
+ @Test
+ public void testHMSServiceResponseDoesNotContainServerVersionAndXPoweredBy()
throws Exception {
+ testHttpServiceDoesNotContainServerVersionAndXPoweredBy(
+ "http://"; + miniHS2.getHost() + ":" + miniHS2.getWebPort() + "/" +
+
MetastoreConf.ConfVars.METASTORE_CLIENT_THRIFT_HTTP_PATH.getDefaultVal());
+ }
+
+ private void testHttpServiceDoesNotContainServerVersionAndXPoweredBy(String
miniHS2) throws IOException {
+ try (CloseableHttpClient httpClient = HttpClients.createDefault()) {
+ HttpGet request = new HttpGet(miniHS2);
+
+ try (CloseableHttpResponse response = httpClient.execute(request)) {
+ for (Header header : response.getHeaders()) {
+ Assert.assertNotEquals("x-powered-by",
header.getName().toLowerCase());
+ Assert.assertNotEquals("server", header.getName().toLowerCase());
+ }
+ }
+ }
+ }
+}
diff --git
a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java
b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java
index 63d23c11d38..0a5fb45a1c8 100644
---
a/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java
+++
b/service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java
@@ -123,6 +123,8 @@ public void setThreadFactory(ThreadFactory threadFactory) {
hiveConf.getIntVar(ConfVars.HIVE_SERVER2_THRIFT_HTTP_RESPONSE_HEADER_SIZE);
conf.setRequestHeaderSize(requestHeaderSize);
conf.setResponseHeaderSize(responseHeaderSize);
+ conf.setSendServerVersion(false);
+ conf.setSendXPoweredBy(false);
final HttpConnectionFactory http = new HttpConnectionFactory(conf) {
public Connection newConnection(Connector connector, EndPoint
endPoint) {
Connection connection = super.newConnection(connector, endPoint);
diff --git
a/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
b/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
index c30e000cba5..25a29869226 100644
---
a/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
+++
b/standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
@@ -395,6 +395,8 @@ public void setThreadFactory(ThreadFactory threadFactory) {
MetastoreConf.getIntVar(conf,
ConfVars.METASTORE_THRIFT_HTTP_REQUEST_HEADER_SIZE));
httpServerConf.setResponseHeaderSize(
MetastoreConf.getIntVar(conf,
ConfVars.METASTORE_THRIFT_HTTP_RESPONSE_HEADER_SIZE));
+ httpServerConf.setSendServerVersion(false);
+ httpServerConf.setSendXPoweredBy(false);
final HttpConnectionFactory http = new
HttpConnectionFactory(httpServerConf);
