Repository: hadoop Updated Branches: refs/heads/branch-2 c2636468d -> 3fe7d36e7
YARN-6352. Header injections are possible in application proxy servlet (Naganarasimha G R via Varun Saxena) Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/3fe7d36e Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/3fe7d36e Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/3fe7d36e Branch: refs/heads/branch-2 Commit: 3fe7d36e72ec4167ad02e08a2414169385bad8c0 Parents: c263646 Author: Varun Saxena <[email protected]> Authored: Thu Mar 30 03:49:32 2017 +0530 Committer: Varun Saxena <[email protected]> Committed: Thu Mar 30 03:49:32 2017 +0530 ---------------------------------------------------------------------- .../server/webproxy/WebAppProxyServlet.java | 8 +++- .../server/webproxy/TestWebAppProxyServlet.java | 41 ++++++++++++++++++++ 2 files changed, 48 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hadoop/blob/3fe7d36e/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java index b32ee30..65281ba 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java @@ -52,6 +52,7 @@ import org.apache.hadoop.yarn.api.records.ApplicationReport; import org.apache.hadoop.yarn.conf.YarnConfiguration; import org.apache.hadoop.yarn.exceptions.ApplicationNotFoundException; import org.apache.hadoop.yarn.exceptions.YarnException; +import org.apache.hadoop.yarn.exceptions.YarnRuntimeException; import org.apache.hadoop.yarn.server.webproxy.AppReportFetcher.AppReportSource; import org.apache.hadoop.yarn.server.webproxy.AppReportFetcher.FetchedAppReport; import org.apache.hadoop.yarn.util.Apps; @@ -348,7 +349,12 @@ public class WebAppProxyServlet extends HttpServlet { //parts[0] is empty because path info always starts with a / String appId = parts[1]; String rest = parts.length > 2 ? parts[2] : ""; - ApplicationId id = Apps.toAppID(appId); + ApplicationId id = null; + try { + id = Apps.toAppID(appId); + } catch (YarnRuntimeException e) { + throw new YarnRuntimeException("Error parsing Application Id"); + } if (id == null) { LOG.warn("{} attempting to access {} that is invalid", http://git-wip-us.apache.org/repos/asf/hadoop/blob/3fe7d36e/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/test/java/org/apache/hadoop/yarn/server/webproxy/TestWebAppProxyServlet.java ---------------------------------------------------------------------- diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/test/java/org/apache/hadoop/yarn/server/webproxy/TestWebAppProxyServlet.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/test/java/org/apache/hadoop/yarn/server/webproxy/TestWebAppProxyServlet.java index 7236982..990b6dd 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/test/java/org/apache/hadoop/yarn/server/webproxy/TestWebAppProxyServlet.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/test/java/org/apache/hadoop/yarn/server/webproxy/TestWebAppProxyServlet.java @@ -380,6 +380,47 @@ public class TestWebAppProxyServlet { } } + /** + * Test header injections are not done. + */ + @Test(timeout=5000) + public void testWebAppProxyServerHeaderInjection() throws Exception { + WebAppProxyServer mainServer = null; + Configuration conf = new YarnConfiguration(); + conf.set(YarnConfiguration.PROXY_ADDRESS, "localhost:9099"); + try { + mainServer = WebAppProxyServer.startServer(conf); + int counter = 20; + + URL wrongUrl = new URL( + "http://localhost:9099/proxy/%C4%8D%C4%8ASomeCustomInjectedHeader:%20" + + "injected_headerVal_1484290871375_0113/"); + HttpURLConnection proxyConn = null; + while (counter > 0) { + counter--; + try { + proxyConn = (HttpURLConnection) wrongUrl.openConnection(); + proxyConn.connect(); + proxyConn.getResponseCode(); + // server started ok + counter = 0; + } catch (Exception e) { + Thread.sleep(100); + } + } + assertNotNull(proxyConn); + // wrong application Id + assertEquals(HttpURLConnection.HTTP_INTERNAL_ERROR, + proxyConn.getResponseCode()); + assertTrue("Header injection happened", + proxyConn.getHeaderField("SomeCustomInjectedHeader") == null); + } finally { + if (mainServer != null) { + mainServer.stop(); + } + } + } + private String readInputStream(InputStream input) throws Exception { ByteArrayOutputStream data = new ByteArrayOutputStream(); byte[] buffer = new byte[512]; --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
