[
https://issues.apache.org/jira/browse/HDFS-9711?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15124015#comment-15124015
]
Chris Nauroth commented on HDFS-9711:
-------------------------------------
[~wheat9], sure thing.
There is a more specific design document from [~lmccay] attached to the linked
HADOOP-12691 issue. The scope of that issue is to provide an option for
prevention of browser-based CSRF attacks across the stack. The attack vector
described in that document is injection of an {{<img>}} tag to force a
malicious HTTP GET. That scenario isn't directly relevant to WebHDFS, because
WebHDFS doesn't implement mutating operations over GET, so I'll walk through a
specific WebHDFS example.
Suppose an attacker hosts a malicious web form on a domain under his control.
The form uses the POST action targeting a WebHDFS truncate URL. Through social
engineering, the attacker tricks an authenticated user into accessing the form
and submitting it.
Without CSRF prevention enabled:
# The browser sends the HTTP POST request to the NameNode.
# The NameNode sends a 307 redirect response targeting a DataNode.
# The browser repeats the same request to the DataNode URL.
# At the DataNode, the call executes and truncates the file.
With CSRF prevention enabled:
# The browser sends the HTTP POST request to the NameNode.
# The NameNode sends a 400 response with reason "Missing Required Header for
Vulnerability Protection".
# The truncation doesn't happen.
Since an HTML form cannot set arbitrary custom headers, this attack cannot be
altered to bypass the prevention. It is possible that the attacker's form
could auto-submit an AJAX request that sets arbitrary headers, but in that
case, we expect the browser's single origin policy to block the request.
The same enforcement is applied at the DataNode too, so if the attacker somehow
manages to bypass the NameNode redirect step, it would still be blocked.
Both the web UI and {{WebHdfsFileSystem}} will send the required header if CSRF
prevention is enabled, so they will continue to function normally. Custom
clients and scripting such as {{curl}} calls might need modifications to send
the header, so this feature needs to be disabled by default for
backwards-compatibility. The scope of HADOOP-12691 specifically targets
browser-based attacks.
> Integrate CSRF prevention filter in WebHDFS.
> --------------------------------------------
>
> Key: HDFS-9711
> URL: https://issues.apache.org/jira/browse/HDFS-9711
> Project: Hadoop HDFS
> Issue Type: New Feature
> Components: datanode, namenode, webhdfs
> Reporter: Chris Nauroth
> Assignee: Chris Nauroth
> Attachments: HDFS-9711.001.patch, HDFS-9711.002.patch
>
>
> HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard
> against cross-site request forgery attacks. This issue tracks integration of
> that filter in WebHDFS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
