[ https://issues.apache.org/jira/browse/HDFS-9711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15124015#comment-15124015 ]
Chris Nauroth commented on HDFS-9711: ------------------------------------- [~wheat9], sure thing. There is a more specific design document from [~lmccay] attached to the linked HADOOP-12691 issue. The scope of that issue is to provide an option for prevention of browser-based CSRF attacks across the stack. The attack vector described in that document is injection of an {{<img>}} tag to force a malicious HTTP GET. That scenario isn't directly relevant to WebHDFS, because WebHDFS doesn't implement mutating operations over GET, so I'll walk through a specific WebHDFS example. Suppose an attacker hosts a malicious web form on a domain under his control. The form uses the POST action targeting a WebHDFS truncate URL. Through social engineering, the attacker tricks an authenticated user into accessing the form and submitting it. Without CSRF prevention enabled: # The browser sends the HTTP POST request to the NameNode. # The NameNode sends a 307 redirect response targeting a DataNode. # The browser repeats the same request to the DataNode URL. # At the DataNode, the call executes and truncates the file. With CSRF prevention enabled: # The browser sends the HTTP POST request to the NameNode. # The NameNode sends a 400 response with reason "Missing Required Header for Vulnerability Protection". # The truncation doesn't happen. Since an HTML form cannot set arbitrary custom headers, this attack cannot be altered to bypass the prevention. It is possible that the attacker's form could auto-submit an AJAX request that sets arbitrary headers, but in that case, we expect the browser's single origin policy to block the request. The same enforcement is applied at the DataNode too, so if the attacker somehow manages to bypass the NameNode redirect step, it would still be blocked. Both the web UI and {{WebHdfsFileSystem}} will send the required header if CSRF prevention is enabled, so they will continue to function normally. Custom clients and scripting such as {{curl}} calls might need modifications to send the header, so this feature needs to be disabled by default for backwards-compatibility. The scope of HADOOP-12691 specifically targets browser-based attacks. > Integrate CSRF prevention filter in WebHDFS. > -------------------------------------------- > > Key: HDFS-9711 > URL: https://issues.apache.org/jira/browse/HDFS-9711 > Project: Hadoop HDFS > Issue Type: New Feature > Components: datanode, namenode, webhdfs > Reporter: Chris Nauroth > Assignee: Chris Nauroth > Attachments: HDFS-9711.001.patch, HDFS-9711.002.patch > > > HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard > against cross-site request forgery attacks. This issue tracks integration of > that filter in WebHDFS. -- This message was sent by Atlassian JIRA (v6.3.4#6332)