SeungYoungOh created ZEPPELIN-6142:
--------------------------------------
Summary: Apply synchronizer token pattern to terminal interpreter
for CSWSH protection
Key: ZEPPELIN-6142
URL: https://issues.apache.org/jira/browse/ZEPPELIN-6142
Project: Zeppelin
Issue Type: Task
Components: Interpreters
Reporter: SeungYoungOh
Assignee: SeungYoungOh
The terminal interpreter in Apache Zeppelin version 0.11.1 is reported with a
CSWSH (Cross-Site WebSocket Hijacking) vulnerability. A previous PR partially
addressed this issue by implementing an origin check. However, this measure
does not provide full protection to CSWSH.
To enhance security, I plan to implement the synchronizer token pattern as an
additional layer of protection.
References:
* [Spring Security WebSocket Same-Origin
Policy|https://docs.spring.io/spring-security/reference/servlet/integrations/websocket.html#websocket-sameorigin]
* [OWASP CSRF Prevention Cheat Sheet - Synchronizer Token
Pattern|https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#synchronizer-token-pattern]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
