Repository: hadoop
Updated Branches:
refs/heads/branch-2.8 ba3a72698 -> a2020024e
YARN-6352. Header injections are possible in application proxy servlet
(Naganarasimha G R via Varun Saxena)
(cherry picked from commit 3fe7d36e72ec4167ad02e08a2414169385bad8c0)
Conflicts:
hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java
Project: http://git-wip-us.apache.org/repos/asf/hadoop/repo
Commit: http://git-wip-us.apache.org/repos/asf/hadoop/commit/a2020024
Tree: http://git-wip-us.apache.org/repos/asf/hadoop/tree/a2020024
Diff: http://git-wip-us.apache.org/repos/asf/hadoop/diff/a2020024
Branch: refs/heads/branch-2.8
Commit: a2020024e218939c4912c7cb02a90c0e9e5e5bef
Parents: ba3a726
Author: Varun Saxena <[email protected]>
Authored: Thu Mar 30 03:49:32 2017 +0530
Committer: Varun Saxena <[email protected]>
Committed: Thu Mar 30 04:06:54 2017 +0530
----------------------------------------------------------------------
.../server/webproxy/WebAppProxyServlet.java | 11 +++++-
.../server/webproxy/TestWebAppProxyServlet.java | 41 ++++++++++++++++++++
2 files changed, 50 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/hadoop/blob/a2020024/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java
----------------------------------------------------------------------
diff --git
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java
index 0b621aa..b78b309 100644
---
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java
+++
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/WebAppProxyServlet.java
@@ -49,6 +49,7 @@ import org.apache.hadoop.yarn.api.records.ApplicationReport;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.exceptions.ApplicationNotFoundException;
import org.apache.hadoop.yarn.exceptions.YarnException;
+import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
import org.apache.hadoop.yarn.server.webproxy.AppReportFetcher.AppReportSource;
import
org.apache.hadoop.yarn.server.webproxy.AppReportFetcher.FetchedAppReport;
import org.apache.hadoop.yarn.util.Apps;
@@ -327,8 +328,14 @@ public class WebAppProxyServlet extends HttpServlet {
//parts[0] is empty because path info always starts with a /
String appId = parts[1];
String rest = parts.length > 2 ? parts[2] : "";
- ApplicationId id = Apps.toAppID(appId);
- if(id == null) {
+ ApplicationId id = null;
+ try {
+ id = Apps.toAppID(appId);
+ } catch (YarnRuntimeException e) {
+ throw new YarnRuntimeException("Error parsing Application Id");
+ }
+
+ if (id == null) {
LOG.warn("{} attempting to access {} that is invalid",
remoteUser, appId);
notFound(resp, appId + " appears to be formatted incorrectly.");
http://git-wip-us.apache.org/repos/asf/hadoop/blob/a2020024/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/test/java/org/apache/hadoop/yarn/server/webproxy/TestWebAppProxyServlet.java
----------------------------------------------------------------------
diff --git
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/test/java/org/apache/hadoop/yarn/server/webproxy/TestWebAppProxyServlet.java
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/test/java/org/apache/hadoop/yarn/server/webproxy/TestWebAppProxyServlet.java
index 330e4de..6de14c5 100644
---
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/test/java/org/apache/hadoop/yarn/server/webproxy/TestWebAppProxyServlet.java
+++
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/test/java/org/apache/hadoop/yarn/server/webproxy/TestWebAppProxyServlet.java
@@ -358,6 +358,47 @@ public class TestWebAppProxyServlet {
}
}
+ /**
+ * Test header injections are not done.
+ */
+ @Test(timeout=5000)
+ public void testWebAppProxyServerHeaderInjection() throws Exception {
+ WebAppProxyServer mainServer = null;
+ Configuration conf = new YarnConfiguration();
+ conf.set(YarnConfiguration.PROXY_ADDRESS, "localhost:9099");
+ try {
+ mainServer = WebAppProxyServer.startServer(conf);
+ int counter = 20;
+
+ URL wrongUrl = new URL(
+
"http://localhost:9099/proxy/%C4%8D%C4%8ASomeCustomInjectedHeader:%20"
+ + "injected_headerVal_1484290871375_0113/");
+ HttpURLConnection proxyConn = null;
+ while (counter > 0) {
+ counter--;
+ try {
+ proxyConn = (HttpURLConnection) wrongUrl.openConnection();
+ proxyConn.connect();
+ proxyConn.getResponseCode();
+ // server started ok
+ counter = 0;
+ } catch (Exception e) {
+ Thread.sleep(100);
+ }
+ }
+ assertNotNull(proxyConn);
+ // wrong application Id
+ assertEquals(HttpURLConnection.HTTP_INTERNAL_ERROR,
+ proxyConn.getResponseCode());
+ assertTrue("Header injection happened",
+ proxyConn.getHeaderField("SomeCustomInjectedHeader") == null);
+ } finally {
+ if (mainServer != null) {
+ mainServer.stop();
+ }
+ }
+ }
+
private String readInputStream(InputStream input) throws Exception {
ByteArrayOutputStream data = new ByteArrayOutputStream();
byte[] buffer = new byte[512];
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]