This is an automated email from the ASF dual-hosted git repository.
mgreber pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/kudu.git
The following commit(s) were added to refs/heads/master by this push:
new 499fb94a2 [squeasel] Allow HTTP unsafe methods
499fb94a2 is described below
commit 499fb94a2e0147085d9add9047306820a9894b6a
Author: gabriellalotz <[email protected]>
AuthorDate: Wed Nov 13 13:38:29 2024 +0100
[squeasel] Allow HTTP unsafe methods
By default, Squeasel restricts the use of HTTP methods like PUT, DELETE,
and CONNECT [1]. However, these methods are essential for the REST
API's functionality in managing server resources. This patch introduces
the -DALLOW_UNSAFE_HTTP_METHODS build flag, following a commit that
added this option in response to OWASP security recommendations [2][3].
Although PUT and DELETE methods can modify server resources, enabling
them does not inherently pose a security risk. Proper security checks in
the webserver prevent unauthorized access and misuse.
For web services that require PUT and DELETE, it's essential to ensure
that these methods are accessible only to trusted users and operate in
safe conditions.
[1] https://github.com/cloudera/squeasel/blob/
d83cf6d9af0e2c98c16467a6a035ae0d7ca21cb1/squeasel.c#L220-L223
[2] https://github.com/cloudera/squeasel/commit/
e6409059a72293ff7be07f78a785581024cedb87
[3] https://web.archive.org/web/20190128223602/
https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)
Change-Id: I14580704c0274ca83f318bcdab6d4cf3509ec271
Reviewed-on: http://gerrit.cloudera.org:8080/22063
Reviewed-by: Zoltan Chovan <[email protected]>
Tested-by: Marton Greber <[email protected]>
Reviewed-by: Marton Greber <[email protected]>
---
src/kudu/server/webserver-test.cc | 14 +++++++++++++-
thirdparty/build-definitions.sh | 4 +++-
2 files changed, 16 insertions(+), 2 deletions(-)
diff --git a/src/kudu/server/webserver-test.cc
b/src/kudu/server/webserver-test.cc
index e5ca8aad2..ee1c12efd 100644
--- a/src/kudu/server/webserver-test.cc
+++ b/src/kudu/server/webserver-test.cc
@@ -150,7 +150,7 @@ class WebserverTest : public KuduTest {
curl_.set_return_headers(true);
ASSERT_OK(curl_.FetchURL(url_, &buf_));
ASSERT_STR_CONTAINS(buf_.ToString(),
- "Allow: GET, POST, HEAD, OPTIONS");
+ "Allow: GET, POST, HEAD, CONNECT, PUT, DELETE,
OPTIONS");
}
protected:
@@ -662,6 +662,18 @@ TEST_F(WebserverTest, TestStaticFiles) {
ASSERT_EQ("Remote error: HTTP 403", s.ToString());
}
+TEST_F(WebserverTest, TestDeleteMethodNotAllowed) {
+ curl_.set_custom_method("DELETE");
+ Status s = curl_.FetchURL(Substitute("$0/index.html", url_), &buf_);
+ ASSERT_EQ("Remote error: HTTP 401", s.ToString());
+}
+
+TEST_F(WebserverTest, TestPutMethodNotAllowed) {
+ curl_.set_custom_method("PUT");
+ Status s = curl_.FetchURL(Substitute("$0/index.html", url_), &buf_);
+ ASSERT_EQ("Remote error: HTTP 401", s.ToString());
+}
+
namespace {
// Handler that echoes back the path parameters and query parameters in
key-value pairs.
diff --git a/thirdparty/build-definitions.sh b/thirdparty/build-definitions.sh
index cdda081b2..b8c574f4c 100644
--- a/thirdparty/build-definitions.sh
+++ b/thirdparty/build-definitions.sh
@@ -708,7 +708,9 @@ build_squeasel() {
SQUEASEL_BDIR=$TP_BUILD_DIR/$SQUEASEL_NAME$MODE_SUFFIX
mkdir -p $SQUEASEL_BDIR
pushd $SQUEASEL_BDIR
- ${CC:-gcc} $EXTRA_CFLAGS $OPENSSL_CFLAGS $OPENSSL_LDFLAGS -std=c99 -O3
-DNDEBUG -fPIC -c "$SQUEASEL_SOURCE/squeasel.c"
+ CFLAGS="$EXTRA_CFLAGS \
+ -DALLOW_UNSAFE_HTTP_METHODS"
+ ${CC:-gcc} $CFLAGS $OPENSSL_CFLAGS $OPENSSL_LDFLAGS -std=c99 -O3 -DNDEBUG
-fPIC -c "$SQUEASEL_SOURCE/squeasel.c"
ar rs libsqueasel.a squeasel.o
cp libsqueasel.a $PREFIX/lib/
cp $SQUEASEL_SOURCE/squeasel.h $PREFIX/include/
