[zookeeper] branch branch-3.5 updated: ZOOKEEPER-3772: JettyAdminServer should not allow Http TRACE method

Thu, 07 May 2020 04:04:00 -0700 

This is an automated email from the ASF dual-hosted git repository.

symat pushed a commit to branch branch-3.5
in repository https://gitbox.apache.org/repos/asf/zookeeper.git


The following commit(s) were added to refs/heads/branch-3.5 by this push:
     new 7c723e4  ZOOKEEPER-3772: JettyAdminServer should not allow Http TRACE 
method
7c723e4 is described below

commit 7c723e4e506d361c17c53a84d4b9c4c0e0c4bc5d
Author: Ling Jinjiang <[email protected]>
AuthorDate: Thu May 7 11:02:25 2020 +0000

    ZOOKEEPER-3772: JettyAdminServer should not allow Http TRACE method
    
    this pr is ZOOKEEPER-3772 on branch-3.5
    
    Author: Ling Jinjiang <[email protected]>
    Author: lingjinjiang <[email protected]>
    
    Reviewers: Enrico Olivelli <[email protected]>, Mate Szalay-Beko 
<[email protected]>
    
    Closes #1349 from lingjinjiang/branch-3.5
---
 .../zookeeper/server/admin/JettyAdminServer.java   | 23 ++++++++++++++++++++++
 .../server/admin/JettyAdminServerTest.java         | 19 ++++++++++++++++++
 2 files changed, 42 insertions(+)

diff --git 
a/zookeeper-server/src/main/java/org/apache/zookeeper/server/admin/JettyAdminServer.java
 
b/zookeeper-server/src/main/java/org/apache/zookeeper/server/admin/JettyAdminServer.java
index ff3de41..eff7eb9 100644
--- 
a/zookeeper-server/src/main/java/org/apache/zookeeper/server/admin/JettyAdminServer.java
+++ 
b/zookeeper-server/src/main/java/org/apache/zookeeper/server/admin/JettyAdminServer.java
@@ -31,11 +31,14 @@ import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.zookeeper.server.ZooKeeperServer;
+import org.eclipse.jetty.security.ConstraintMapping;
+import org.eclipse.jetty.security.ConstraintSecurityHandler;
 import org.eclipse.jetty.server.Server;
 import org.eclipse.jetty.servlet.ServletHolder;
 import org.eclipse.jetty.server.ServerConnector;
 import org.eclipse.jetty.servlet.ServletContextHandler;
 
+import org.eclipse.jetty.util.security.Constraint;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -89,6 +92,7 @@ public class JettyAdminServer implements AdminServer {
 
         ServletContextHandler context = new 
ServletContextHandler(ServletContextHandler.SESSIONS);
         context.setContextPath("/*");
+        constrainTraceMethod(context);
         server.setHandler(context);
 
         context.addServlet(new ServletHolder(new CommandServlet()), commandUrl 
+ "/*");
@@ -195,4 +199,23 @@ public class JettyAdminServer implements AdminServer {
         }
         return links;
     }
+
+    /**
+     * Add constraint to a given context to disallow TRACE method
+     * @param ctxHandler the context to modify
+     */
+    private void constrainTraceMethod(ServletContextHandler ctxHandler) {
+        Constraint c = new Constraint();
+        c.setAuthenticate(true);
+
+        ConstraintMapping cmt = new ConstraintMapping();
+        cmt.setConstraint(c);
+        cmt.setMethod("TRACE");
+        cmt.setPathSpec("/*");
+
+        ConstraintSecurityHandler securityHandler = new 
ConstraintSecurityHandler();
+        securityHandler.setConstraintMappings(new ConstraintMapping[] {cmt});
+
+        ctxHandler.setSecurityHandler(securityHandler);
+    }
 }
diff --git 
a/zookeeper-server/src/test/java/org/apache/zookeeper/server/admin/JettyAdminServerTest.java
 
b/zookeeper-server/src/test/java/org/apache/zookeeper/server/admin/JettyAdminServerTest.java
index bc8aab6..682a47a 100644
--- 
a/zookeeper-server/src/test/java/org/apache/zookeeper/server/admin/JettyAdminServerTest.java
+++ 
b/zookeeper-server/src/test/java/org/apache/zookeeper/server/admin/JettyAdminServerTest.java
@@ -21,6 +21,7 @@ package org.apache.zookeeper.server.admin;
 import java.io.BufferedReader;
 import java.io.IOException;
 import java.io.InputStreamReader;
+import java.net.HttpURLConnection;
 import java.net.MalformedURLException;
 import java.net.URL;
 
@@ -58,6 +59,7 @@ public class JettyAdminServerTest extends ZKTestCase{
         try {
             server.start();
             queryAdminServer(jettyAdminPort);
+            traceAdminServer(jettyAdminPort);
         } finally {
             server.shutdown();
         }
@@ -159,4 +161,21 @@ public class JettyAdminServerTest extends ZKTestCase{
         String line = dis.readLine();
         Assert.assertTrue(line.length() > 0);
     }
+
+    /**
+     * Using TRACE method to visit admin server
+     */
+    private void traceAdminServer(int port) throws IOException {
+        traceAdminServer(String.format(URL_FORMAT, port));
+    }
+
+    /**
+     * Using TRACE method to visit admin server, the response should be 403 
forbidden
+     */
+    private void traceAdminServer(String urlStr) throws IOException {
+        HttpURLConnection conn = (HttpURLConnection) new 
URL(urlStr).openConnection();
+        conn.setRequestMethod("TRACE");
+        conn.connect();
+        Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, 
conn.getResponseCode());
+    }
 }

Reply via email to