[ https://issues.apache.org/jira/browse/HBASE-15122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15135742#comment-15135742 ]
Hudson commented on HBASE-15122: -------------------------------- FAILURE: Integrated in HBase-Trunk_matrix #687 (See [https://builds.apache.org/job/HBase-Trunk_matrix/687/]) HBASE-15122 Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER (stack: rev efc7a0d34749091d8efa623e7424956b72d3bb59) * pom.xml * hbase-server/pom.xml * hbase-resource-bundle/src/main/resources/supplemental-models.xml * hbase-server/src/test/java/org/apache/hadoop/hbase/http/jmx/TestJMXJsonServlet.java * hbase-server/src/main/java/org/apache/hadoop/hbase/http/jmx/JMXJsonServlet.java * hbase-server/src/test/resources/ESAPI.properties * hbase-server/src/main/resources/ESAPI.properties > Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings > --------------------------------------------------------------------------- > > Key: HBASE-15122 > URL: https://issues.apache.org/jira/browse/HBASE-15122 > Project: HBase > Issue Type: Bug > Reporter: stack > Priority: Critical > Attachments: HBASE-15122-v0-master, HBASE-15122.patch, > HBASE-15122_v1.patch, HBASE-15122_v2.patch, HBASE-15122_v3.patch > > > In our JMXJsonServlet we are doing this: > jsonpcb = request.getParameter(CALLBACK_PARAM); > if (jsonpcb != null) { > response.setContentType("application/javascript; charset=utf8"); > writer.write(jsonpcb + "("); > ... > Findbugs complains rightly. There are other instances in our servlets and > then there are the pages generated by jamon excluded from findbugs checking > (and findbugs volunteers that it is dumb in this regard finding only the most > egregious of violations). > We have no sanitizing tooling in hbase that I know of (correct me if I am > wrong). I started to pull on this thread and it runs deep. Our Jamon > templating (last updated in 2013 and before that, in 2011) engine doesn't > seem to have sanitizing means either and there seems to be outstanding XSS > complaint against jamon that goes unaddressed. > Could pull in something like > https://www.owasp.org/index.php/OWASP_Java_Encoder_Project and run all > emissions via it or get a templating engine that has sanitizing built in. -- This message was sent by Atlassian JIRA (v6.3.4#6332)