[ https://issues.apache.org/jira/browse/HDDS-2158?focusedWorklogId=322220&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-322220 ]
ASF GitHub Bot logged work on HDDS-2158: ---------------------------------------- Author: ASF GitHub Bot Created on: 02/Oct/19 20:26 Start Date: 02/Oct/19 20:26 Worklog Time Spent: 10m Work Description: bharatviswa504 commented on pull request #1486: HDDS-2158. Fixing Json Injection Issue in JsonUtils. URL: https://github.com/apache/hadoop/pull/1486#discussion_r330754661 ########## File path: hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/bucket/RemoveAclBucketHandler.java ########## @@ -92,8 +92,9 @@ public Void call() throws Exception { boolean result = client.getObjectStore().removeAcl(obj, OzoneAcl.parseAcl(acl)); - System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter( - JsonUtils.toJsonString("Acl removed successfully: " + result))); + System.out.printf("%s%n", result ? "ACL removed successfully" : + "ACL not removed"); Review comment: From my understanding, addAcl behavior is if acl is added successfully returns true, it will return false when acl trying to be added already exists. > If we are trying to add an already existing ACL, shouldn't we return true? I think returning true is not right behavior, as it will not be clear whether add is successful or not. We should have returned with clear message to end user, what is differenece between true/false. `But I think that statement also does not convey the message properly. ` Agreed this was existing behavior, if you want to fix in a new Jira I am okay with that. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking ------------------- Worklog Id: (was: 322220) Time Spent: 3h 20m (was: 3h 10m) > Fix Json Injection in JsonUtils > ------------------------------- > > Key: HDDS-2158 > URL: https://issues.apache.org/jira/browse/HDDS-2158 > Project: Hadoop Distributed Data Store > Issue Type: Bug > Reporter: Hanisha Koneru > Assignee: Hanisha Koneru > Priority: Major > Labels: pull-request-available > Time Spent: 3h 20m > Remaining Estimate: 0h > > JsonUtils#toJsonStringWithDefaultPrettyPrinter() does not validate the Json > StringĀ before serializing it which could result in Json Injection. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org