[jira] [Commented] (HBASE-15946) Eliminate possible security concerns in RS web UI's store file metrics

Thu, 09 Jun 2016 19:19:54 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-15946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15323743#comment-15323743
 ] 

Hadoop QA commented on HBASE-15946:
-----------------------------------

| (x) *{color:red}-1 overall{color}* |
\\
\\
|| Vote || Subsystem || Runtime || Comment ||
| {color:blue}0{color} | {color:blue} patch {color} | {color:blue} 0m 1s 
{color} | {color:blue} The patch file was not named according to hbase's naming 
conventions. Please see 
https://yetus.apache.org/documentation/0.2.1/precommit-patchnames for 
instructions. {color} |
| {color:red}-1{color} | {color:red} patch {color} | {color:red} 0m 5s {color} 
| {color:red} HBASE-15946 does not apply to branch-1.3. Rebase required? Wrong 
Branch? See https://yetus.apache.org/documentation/0.2.1/precommit-patchnames 
for help. {color} |
\\
\\
|| Subsystem || Report/Notes ||
| JIRA Patch URL | 
https://issues.apache.org/jira/secure/attachment/12809342/HBASE-15946-branch-1.3-mantonov.diff
 |
| JIRA Issue | HBASE-15946 |
| Console output | 
https://builds.apache.org/job/PreCommit-HBASE-Build/2170/console |
| Powered by | Apache Yetus 0.2.1   http://yetus.apache.org |


This message was automatically generated.



> Eliminate possible security concerns in RS web UI's store file metrics
> ----------------------------------------------------------------------
>
>                 Key: HBASE-15946
>                 URL: https://issues.apache.org/jira/browse/HBASE-15946
>             Project: HBase
>          Issue Type: Bug
>    Affects Versions: 1.3.0, 1.2.1
>            Reporter: Sean Mackrory
>            Assignee: Mikhail Antonov
>             Fix For: 1.3.0, 1.2.2
>
>         Attachments: HBASE-15946-branch-1.3-mantonov.diff, 
> HBASE-15946-v1.patch, HBASE-15946-v2.patch, HBASE-15946-v3.patch
>
>
> More from static code analysis: it warns about the invoking of a separate 
> command ("hbase hfile -s -f ...") as a possible security issue in 
> hbase-server/src/main/resources/hbase-webapps/regionserver/storeFile.jsp.
> It looks to me like one cannot inject arbitrary shell script or even 
> arbitrary arguments: ProcessBuilder makes that fairly safe and only allows 
> the user to specify the argument that comes after -f. However that does 
> potentially allow them to have the daemon's user access files they shouldn't 
> be able to touch, albeit only for reading.
> To more explicitly eliminate any threats here, we should add some validation 
> that the file is at least within HBase's root directory and use the Java API 
> directly instead of invoking a separate executable.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to