[jira] [Commented] (HBASE-15122) Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings

Sat, 06 Feb 2016 04:02:47 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-15122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15135742#comment-15135742
 ] 

Hudson commented on HBASE-15122:
--------------------------------

FAILURE: Integrated in HBase-Trunk_matrix #687 (See 
[https://builds.apache.org/job/HBase-Trunk_matrix/687/])
HBASE-15122 Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER (stack: 
rev efc7a0d34749091d8efa623e7424956b72d3bb59)
* pom.xml
* hbase-server/pom.xml
* hbase-resource-bundle/src/main/resources/supplemental-models.xml
* 
hbase-server/src/test/java/org/apache/hadoop/hbase/http/jmx/TestJMXJsonServlet.java
* 
hbase-server/src/main/java/org/apache/hadoop/hbase/http/jmx/JMXJsonServlet.java
* hbase-server/src/test/resources/ESAPI.properties
* hbase-server/src/main/resources/ESAPI.properties


> Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings
> ---------------------------------------------------------------------------
>
>                 Key: HBASE-15122
>                 URL: https://issues.apache.org/jira/browse/HBASE-15122
>             Project: HBase
>          Issue Type: Bug
>            Reporter: stack
>            Priority: Critical
>         Attachments: HBASE-15122-v0-master, HBASE-15122.patch, 
> HBASE-15122_v1.patch, HBASE-15122_v2.patch, HBASE-15122_v3.patch
>
>
> In our JMXJsonServlet we are doing this:
>         jsonpcb = request.getParameter(CALLBACK_PARAM);
>         if (jsonpcb != null) {
>           response.setContentType("application/javascript; charset=utf8");
>           writer.write(jsonpcb + "(");
> ... 
> Findbugs complains rightly. There are other instances in our servlets and 
> then there are the pages generated by jamon excluded from findbugs checking 
> (and findbugs volunteers that it is dumb in this regard finding only the most 
> egregious of violations).
> We have no sanitizing tooling in hbase that I know of (correct me if I am 
> wrong). I started to pull on this thread and it runs deep. Our Jamon 
> templating (last updated in 2013 and before that, in 2011) engine doesn't 
> seem to have sanitizing means either and there seems to be outstanding XSS 
> complaint against jamon that goes unaddressed.
> Could pull in something like 
> https://www.owasp.org/index.php/OWASP_Java_Encoder_Project and run all 
> emissions via it or get a templating engine that has sanitizing built in. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to