[
https://issues.apache.org/jira/browse/HBASE-15946?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Sean Mackrory updated HBASE-15946:
----------------------------------
Attachment: HBASE-15946-v2.patch
Did some clean up, including closing stuff in a finally, explicitly adding the
separator to the expected root so /hbaseXYZ isn't considered a match, and
System.exit is now purged from everything under run(), not just processFile().
As for using the output of the JSP directly, there's an OutputStream we can use
but then the user just sees the raw text without linebreaks instead of the nice
attractive, formatted page you have now. There's also a PrintWriter, but
there's no shared interface between that and PrintStream which is needed for
the CLI tool to do System.out - so we'd need to make our own layer of
indirection there or something. I'll think about that some more.
I would like to have a better way of "canonicalizing" this than strings, but I
don't see that being feasible in the underlying FileSystem interface. I do like
the idea of passing in the table, region, etc. and having HFilePrettyPrinter
construct the path on it's own, however that would be a more incompatible
change. I *think* the current one shouldn't break anything, so I'd personally
prefer to make the compatible change so that patch exists and then perhaps
restructure the command entirely to do that. Thoughts?
> Eliminate possible security concerns in RS web UI's store file metrics
> ----------------------------------------------------------------------
>
> Key: HBASE-15946
> URL: https://issues.apache.org/jira/browse/HBASE-15946
> Project: HBase
> Issue Type: Bug
> Reporter: Sean Mackrory
> Assignee: Mikhail Antonov
> Attachments: HBASE-15946-v1.patch, HBASE-15946-v2.patch
>
>
> More from static code analysis: it warns about the invoking of a separate
> command ("hbase hfile -s -f ...") as a possible security issue in
> hbase-server/src/main/resources/hbase-webapps/regionserver/storeFile.jsp.
> It looks to me like one cannot inject arbitrary shell script or even
> arbitrary arguments: ProcessBuilder makes that fairly safe and only allows
> the user to specify the argument that comes after -f. However that does
> potentially allow them to have the daemon's user access files they shouldn't
> be able to touch, albeit only for reading.
> To more explicitly eliminate any threats here, we should add some validation
> that the file is at least within HBase's root directory and use the Java API
> directly instead of invoking a separate executable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
