[kudu-CR] [squeasel] Allow HTTP unsafe methods

Thu, 14 Nov 2024 12:12:53 -0800 

Hello Marton Greber, Zoltan Chovan, Kudu Jenkins,

I'd like you to reexamine a change. Please visit

    http://gerrit.cloudera.org:8080/22063

to look at the new patch set (#2).

Change subject: [squeasel] Allow HTTP unsafe methods
......................................................................

[squeasel] Allow HTTP unsafe methods

By default, Squeasel restricts the use of HTTP methods like PUT, DELETE,
and CONNECT [1]. However, these methods are essential for the REST
API's functionality in managing server resources. This patch introduces
the -DALLOW_UNSAFE_HTTP_METHODS build flag, following a commit that
added this option in response to OWASP security recommendations [2][3].

Although PUT and DELETE methods can modify server resources, enabling
them does not inherently pose a security risk. Proper security checks in
the webserver prevent unauthorized access and misuse.

For web services that require PUT and DELETE, it's essential to ensure
that these methods are accessible only to trusted users and operate in
safe conditions.

[1] https://github.com/cloudera/squeasel/blob/
d83cf6d9af0e2c98c16467a6a035ae0d7ca21cb1/squeasel.c#L220-L223
[2] https://github.com/cloudera/squeasel/commit/
e6409059a72293ff7be07f78a785581024cedb87
[3] https://web.archive.org/web/20190128223602/
https://www.owasp.org/index.php/Test_HTTP_Methods_(OTG-CONFIG-006)

Change-Id: I14580704c0274ca83f318bcdab6d4cf3509ec271
---
M src/kudu/server/webserver-test.cc
M thirdparty/build-definitions.sh
2 files changed, 16 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/63/22063/2
--
To view, visit http://gerrit.cloudera.org:8080/22063
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I14580704c0274ca83f318bcdab6d4cf3509ec271
Gerrit-Change-Number: 22063
Gerrit-PatchSet: 2
Gerrit-Owner: Gabriella Lotz <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Marton Greber <[email protected]>
Gerrit-Reviewer: Zoltan Chovan <[email protected]>

Reply via email to