Sean Mackrory created HBASE-15946:
-------------------------------------
Summary: Eliminate possible security concerns in RS web UI's store
file metrics
Key: HBASE-15946
URL: https://issues.apache.org/jira/browse/HBASE-15946
Project: HBase
Issue Type: Bug
Reporter: Sean Mackrory
More from static code analysis: it warns about the invoking of a separate
command ("hbase hfile -s -f ...") as a possible security issue in
hbase-server/src/main/resources/hbase-webapps/regionserver/storeFile.jsp.
It looks to me like one cannot inject arbitrary shell script or even arbitrary
arguments: ProcessBuilder makes that fairly safe and only allows the user to
specify the argument that comes after -f. However that does potentially allow
them to have the daemon's user access files they shouldn't be able to touch,
albeit only for reading.
To more explicitly eliminate any threats here, we should add some validation
that the file is at least within HBase's root directory and use the Java API
directly instead of invoking a separate executable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
