[
https://issues.apache.org/jira/browse/HBASE-15946?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sean Mackrory updated HBASE-15946:
----------------------------------
Attachment: HBASE-15946-v1.patch
I want to do a bit more testing on this patch and clean up a few things, but
here's the basic idea.
This adds a couple of things to the public interface of HFilePrettyPrinter to
make it usable directly from storeFile.jsp. It also validates that the file is
in HBase's root dir, which brings with it some caveats I want to make sure are
safe:
* It can be a fully qualified URL (e.g. hdfs://namenode:8020/hbase), relative
to the filesystem in hbase.rootdir or fs.defaultFS. This is how the RS Web UI
will pass it in. If we need to tolerate different hostnames or addresses that
would resolve to the same filesystem, this validation needs to get a lot more
complex.
* It can be an absolute path in the same filesystem. This makes more sense for
CLI usage.
* It can't be a relative URL. I can't think of how this could reasonably end up
getting provided. If it would be relative to the the hbase rootdir, we can
easily verify that the file is there. If it would be relative to something
else, that would need to be handled.
Also need to be careful here about cases where /hbase is the root but /hbaseXYZ
exists, since I'm just appending strings and checking that the beginning is the
same. If the relative path XYZ was provided, the string would indeed begin with
HBase root.
> Eliminate possible security concerns in RS web UI's store file metrics
> ----------------------------------------------------------------------
>
> Key: HBASE-15946
> URL: https://issues.apache.org/jira/browse/HBASE-15946
> Project: HBase
> Issue Type: Bug
> Reporter: Sean Mackrory
> Assignee: Mikhail Antonov
> Attachments: HBASE-15946-v1.patch
>
>
> More from static code analysis: it warns about the invoking of a separate
> command ("hbase hfile -s -f ...") as a possible security issue in
> hbase-server/src/main/resources/hbase-webapps/regionserver/storeFile.jsp.
> It looks to me like one cannot inject arbitrary shell script or even
> arbitrary arguments: ProcessBuilder makes that fairly safe and only allows
> the user to specify the argument that comes after -f. However that does
> potentially allow them to have the daemon's user access files they shouldn't
> be able to touch, albeit only for reading.
> To more explicitly eliminate any threats here, we should add some validation
> that the file is at least within HBase's root directory and use the Java API
> directly instead of invoking a separate executable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
