[
https://issues.apache.org/jira/browse/HBASE-15122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15126718#comment-15126718
]
Samir Ahmic commented on HBASE-15122:
-------------------------------------
Here is relevant part of mvn dependency:tree -Dverbose:
{code}
[INFO] +- org.owasp.esapi:esapi:jar:2.1.0:compile
[INFO] | +- commons-configuration:commons-configuration:jar:1.5:compile
[INFO] | | +- (commons-collections:commons-collections:jar:3.2.2:compile -
version managed from 3.2; omitted for duplicate)
[INFO] | | +- (commons-lang:commons-lang:jar:2.6:compile - version managed
from 2.3; omitted for duplicate)
[INFO] | | +- (commons-logging:commons-logging:jar:1.2:compile - version
managed from 1.1; omitted for duplicate)
[INFO] | | +- commons-digester:commons-digester:jar:1.8:compile
[INFO] | | | +- commons-beanutils:commons-beanutils:jar:1.7.0:compile
[INFO] | | | | \- (commons-logging:commons-logging:jar:1.2:compile -
version managed from 1.0.3; omitted for duplicate)
[INFO] | | | \- (commons-logging:commons-logging:jar:1.2:compile - version
managed from 1.1; omitted for duplicate)
------------> [INFO] | | \-
(commons-beanutils:commons-beanutils-core:jar:1.7.0:compile - omitted for
duplicate)
[INFO] | +- commons-beanutils:commons-beanutils-core:jar:1.7.0:compile
[INFO] | | +- (commons-logging:commons-logging:jar:1.2:compile - version
managed from 1.0; omitted for duplicate)
[INFO] | | \- (commons-collections:commons-collections:jar:3.2.2:compile -
version managed from 2.0; omitted for duplicate)
[INFO] | +- commons-fileupload:commons-fileupload:jar:1.2:compile
[INFO] | +- (commons-collections:commons-collections:jar:3.2.2:compile -
version managed from 3.2; omitted for duplicate)
[INFO] | +- (log4j:log4j:jar:1.2.17:compile - version managed from 1.2.16;
omitted for duplicate)
[INFO] | +- xom:xom:jar:1.2.5:compile
[INFO] | | +- xml-apis:xml-apis:jar:1.3.03:compile
[INFO] | | +- (xerces:xercesImpl:jar:2.8.0:compile - omitted for conflict
with 2.9.1)
----------> [INFO] | | \- xalan:xalan:jar:2.7.0:compile
{code}
Both of those dependencies are introduced by this jira as compile dependencies
of OWAS ESAPI java project.
> Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings
> ---------------------------------------------------------------------------
>
> Key: HBASE-15122
> URL: https://issues.apache.org/jira/browse/HBASE-15122
> Project: HBase
> Issue Type: Bug
> Reporter: stack
> Priority: Critical
> Attachments: HBASE-15122.patch
>
>
> In our JMXJsonServlet we are doing this:
> jsonpcb = request.getParameter(CALLBACK_PARAM);
> if (jsonpcb != null) {
> response.setContentType("application/javascript; charset=utf8");
> writer.write(jsonpcb + "(");
> ...
> Findbugs complains rightly. There are other instances in our servlets and
> then there are the pages generated by jamon excluded from findbugs checking
> (and findbugs volunteers that it is dumb in this regard finding only the most
> egregious of violations).
> We have no sanitizing tooling in hbase that I know of (correct me if I am
> wrong). I started to pull on this thread and it runs deep. Our Jamon
> templating (last updated in 2013 and before that, in 2011) engine doesn't
> seem to have sanitizing means either and there seems to be outstanding XSS
> complaint against jamon that goes unaddressed.
> Could pull in something like
> https://www.owasp.org/index.php/OWASP_Java_Encoder_Project and run all
> emissions via it or get a templating engine that has sanitizing built in.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
