[jira] [Commented] (HBASE-20339) A potential security issue in org.apache.hadoop.hbase.http.log.LogLevel.java

Wed, 04 Apr 2018 01:23:42 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-20339?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16425161#comment-16425161
 ] 

Wei-Chiu Chuang commented on HBASE-20339:
-----------------------------------------

Thanks for raising the issue. LogLevel is a HttpServer based sevlet. It 
includes the QuotingInputFilter to defend against cross site scripting like 
this.

I've also verified on a HBase2 cluster that this is true, and entering anything 
will be HTML encoded.

Note: LogLevel.java was copied from the Hadoop project. So you'd likely get the 
same false positives when you scan for the Hadoop code. Please do not raise a 
new HADOOP issue for the same, as I've also verified the same for Hadoop.

> A potential security issue in org.apache.hadoop.hbase.http.log.LogLevel.java
> ----------------------------------------------------------------------------
>
>                 Key: HBASE-20339
>                 URL: https://issues.apache.org/jira/browse/HBASE-20339
>             Project: HBase
>          Issue Type: Bug
>          Components: hbase
>    Affects Versions: 2.0.0-beta-2
>            Reporter: andy zhou
>            Priority: Major
>
> Our program analyzer has detected a potential security issue as follows 
> {code:java}
> PrintWriter out = ServletUtil.initHTML(response, "Log Level");
> String logName = ServletUtil.getParameter(request, "log");
> String level = ServletUtil.getParameter(request, "level");
> if (logName != null) {
>    out.println("<br /><hr /><h3>Results</h3>");
>    out.println(MARKER
>         + "Submitted Log Name: <b>" + logName + "</b><br />");
>   ...
> }{code}
> Above is the code piece. Seems that the log name is directly collected from 
> the web request, and only whether the data is null is checked. So an attacker 
> may provide a "logName" with a piece of injected code, leading to cross-site 
> attacks. And besides, the variable "level" may also have such vulnerability.
>  
> (org.apache.hadoop.hbase.http.log.LogLevel.java Line 111/118)
> Linkage to the code is here:
> [https://github.com/apache/hbase/blob/9e9b347d667e1fc6165c9f8ae5ae7052147e8895/hbase-http/src/main/java/org/apache/hadoop/hbase/http/log/LogLevel.java#L111]
>  
> SourceBrella inc.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to