[jira] [Work logged] (HDDS-2110) Arbitrary file can be downloaded with the help of ProfilerServlet
[ https://issues.apache.org/jira/browse/HDDS-2110?focusedWorklogId=315171=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-315171 ] ASF GitHub Bot logged work on HDDS-2110: Author: ASF GitHub Bot Created on: 19/Sep/19 16:43 Start Date: 19/Sep/19 16:43 Worklog Time Spent: 10m Work Description: anuengineer commented on pull request #1448: HDDS-2110. Arbitrary file can be downloaded with the help of ProfilerServlet URL: https://github.com/apache/hadoop/pull/1448 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 315171) Time Spent: 1.5h (was: 1h 20m) > Arbitrary file can be downloaded with the help of ProfilerServlet > - > > Key: HDDS-2110 > URL: https://issues.apache.org/jira/browse/HDDS-2110 > Project: Hadoop Distributed Data Store > Issue Type: Bug > Components: Native >Reporter: Aayush >Assignee: Elek, Marton >Priority: Major > Labels: pull-request-available > Time Spent: 1.5h > Remaining Estimate: 0h > > The LOC 324 in the file > [ProfileServlet.java|https://github.com/apache/hadoop/blob/217bdbd940a96986df3b96899b43caae2b5a9ed2/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/ProfileServlet.java] > is prone to an arbitrary file download:- > {code:java} > protected void doGetDownload(String fileName, final HttpServletRequest req, >final HttpServletResponse resp) throws IOException { > File requestedFile = > ProfileServlet.OUTPUT_DIR.resolve(fileName).toAbsolutePath().toFile();{code} > As the String fileName is directly considered as the requested file. > > Which is called at LOC 180 with HTTP request directly passed:- > {code:java} > if (req.getParameter("file") != null) { > doGetDownload(req.getParameter("file"), req, resp); > return; > } > {code} > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Work logged] (HDDS-2110) Arbitrary file can be downloaded with the help of ProfilerServlet
[ https://issues.apache.org/jira/browse/HDDS-2110?focusedWorklogId=314645=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-314645 ] ASF GitHub Bot logged work on HDDS-2110: Author: ASF GitHub Bot Created on: 18/Sep/19 20:59 Start Date: 18/Sep/19 20:59 Worklog Time Spent: 10m Work Description: arp7 commented on issue #1448: HDDS-2110. Arbitrary file can be downloaded with the help of ProfilerServlet URL: https://github.com/apache/hadoop/pull/1448#issuecomment-532864393 Can this be committed? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 314645) Time Spent: 1h 20m (was: 1h 10m) > Arbitrary file can be downloaded with the help of ProfilerServlet > - > > Key: HDDS-2110 > URL: https://issues.apache.org/jira/browse/HDDS-2110 > Project: Hadoop Distributed Data Store > Issue Type: Bug > Components: Native >Reporter: Aayush >Assignee: Elek, Marton >Priority: Major > Labels: pull-request-available > Time Spent: 1h 20m > Remaining Estimate: 0h > > The LOC 324 in the file > [ProfileServlet.java|https://github.com/apache/hadoop/blob/217bdbd940a96986df3b96899b43caae2b5a9ed2/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/ProfileServlet.java] > is prone to an arbitrary file download:- > {code:java} > protected void doGetDownload(String fileName, final HttpServletRequest req, >final HttpServletResponse resp) throws IOException { > File requestedFile = > ProfileServlet.OUTPUT_DIR.resolve(fileName).toAbsolutePath().toFile();{code} > As the String fileName is directly considered as the requested file. > > Which is called at LOC 180 with HTTP request directly passed:- > {code:java} > if (req.getParameter("file") != null) { > doGetDownload(req.getParameter("file"), req, resp); > return; > } > {code} > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Work logged] (HDDS-2110) Arbitrary file can be downloaded with the help of ProfilerServlet
[ https://issues.apache.org/jira/browse/HDDS-2110?focusedWorklogId=313641=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-313641 ] ASF GitHub Bot logged work on HDDS-2110: Author: ASF GitHub Bot Created on: 17/Sep/19 11:42 Start Date: 17/Sep/19 11:42 Worklog Time Spent: 10m Work Description: hadoop-yetus commented on issue #1448: HDDS-2110. Arbitrary file can be downloaded with the help of ProfilerServlet URL: https://github.com/apache/hadoop/pull/1448#issuecomment-532184015 :broken_heart: **-1 overall** | Vote | Subsystem | Runtime | Comment | |::|--:|:|:| | 0 | reexec | 44 | Docker mode activated. | ||| _ Prechecks _ | | +1 | dupname | 0 | No case conflicting files found. | | +1 | @author | 0 | The patch does not contain any @author tags. | | +1 | test4tests | 0 | The patch appears to include 1 new or modified test files. | ||| _ trunk Compile Tests _ | | -1 | mvninstall | 33 | hadoop-ozone in trunk failed. | | -1 | compile | 22 | hadoop-ozone in trunk failed. | | +1 | checkstyle | 68 | trunk passed | | +1 | mvnsite | 0 | trunk passed | | +1 | shadedclient | 836 | branch has no errors when building and testing our client artifacts. | | +1 | javadoc | 149 | trunk passed | | 0 | spotbugs | 162 | Used deprecated FindBugs config; considering switching to SpotBugs. | | -1 | findbugs | 27 | hadoop-ozone in trunk failed. | ||| _ Patch Compile Tests _ | | -1 | mvninstall | 33 | hadoop-ozone in the patch failed. | | -1 | compile | 26 | hadoop-ozone in the patch failed. | | -1 | javac | 26 | hadoop-ozone in the patch failed. | | -0 | checkstyle | 29 | hadoop-hdds: The patch generated 14 new + 61 unchanged - 6 fixed = 75 total (was 67) | | +1 | mvnsite | 0 | the patch passed | | +1 | whitespace | 0 | The patch has no whitespace issues. | | +1 | shadedclient | 670 | patch has no errors when building and testing our client artifacts. | | +1 | javadoc | 150 | the patch passed | | -1 | findbugs | 28 | hadoop-ozone in the patch failed. | ||| _ Other Tests _ | | +1 | unit | 251 | hadoop-hdds in the patch passed. | | -1 | unit | 29 | hadoop-ozone in the patch failed. | | +1 | asflicense | 34 | The patch does not generate ASF License warnings. | | | | 3183 | | | Subsystem | Report/Notes | |--:|:-| | Docker | Client=19.03.1 Server=19.03.1 base: https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/2/artifact/out/Dockerfile | | GITHUB PR | https://github.com/apache/hadoop/pull/1448 | | Optional Tests | dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux 3aa3555d0a32 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | personality/hadoop.sh | | git revision | trunk / f3de141 | | Default Java | 1.8.0_222 | | mvninstall | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/2/artifact/out/branch-mvninstall-hadoop-ozone.txt | | compile | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/2/artifact/out/branch-compile-hadoop-ozone.txt | | findbugs | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/2/artifact/out/branch-findbugs-hadoop-ozone.txt | | mvninstall | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/2/artifact/out/patch-mvninstall-hadoop-ozone.txt | | compile | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/2/artifact/out/patch-compile-hadoop-ozone.txt | | javac | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/2/artifact/out/patch-compile-hadoop-ozone.txt | | checkstyle | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/2/artifact/out/diff-checkstyle-hadoop-hdds.txt | | findbugs | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/2/artifact/out/patch-findbugs-hadoop-ozone.txt | | unit | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/2/artifact/out/patch-unit-hadoop-ozone.txt | | Test Results | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/2/testReport/ | | Max. process+thread count | 518 (vs. ulimit of 5500) | | modules | C: hadoop-hdds/framework U: hadoop-hdds/framework | | Console output | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/2/console | | versions | git=2.7.4 maven=3.3.9 findbugs=3.1.0-RC1 | | Powered by | Apache Yetus 0.10.0 http://yetus.apache.org | This message was automatically generated. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the
[jira] [Work logged] (HDDS-2110) Arbitrary file can be downloaded with the help of ProfilerServlet
[ https://issues.apache.org/jira/browse/HDDS-2110?focusedWorklogId=313599=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-313599 ] ASF GitHub Bot logged work on HDDS-2110: Author: ASF GitHub Bot Created on: 17/Sep/19 10:15 Start Date: 17/Sep/19 10:15 Worklog Time Spent: 10m Work Description: elek commented on issue #1448: HDDS-2110. Arbitrary file can be downloaded with the help of ProfilerServlet URL: https://github.com/apache/hadoop/pull/1448#issuecomment-532157442 I made it more safe (strict validation of the file name based on the original pattern). Now the HTTP headers are also safe (until now we printed out the file name in the header even if it contained a new line char). And we don't need to suppress any findbugs warning. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 313599) Time Spent: 1h (was: 50m) > Arbitrary file can be downloaded with the help of ProfilerServlet > - > > Key: HDDS-2110 > URL: https://issues.apache.org/jira/browse/HDDS-2110 > Project: Hadoop Distributed Data Store > Issue Type: Bug > Components: Native >Reporter: Aayush >Assignee: Elek, Marton >Priority: Major > Labels: pull-request-available > Time Spent: 1h > Remaining Estimate: 0h > > The LOC 324 in the file > [ProfileServlet.java|https://github.com/apache/hadoop/blob/217bdbd940a96986df3b96899b43caae2b5a9ed2/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/ProfileServlet.java] > is prone to an arbitrary file download:- > {code:java} > protected void doGetDownload(String fileName, final HttpServletRequest req, >final HttpServletResponse resp) throws IOException { > File requestedFile = > ProfileServlet.OUTPUT_DIR.resolve(fileName).toAbsolutePath().toFile();{code} > As the String fileName is directly considered as the requested file. > > Which is called at LOC 180 with HTTP request directly passed:- > {code:java} > if (req.getParameter("file") != null) { > doGetDownload(req.getParameter("file"), req, resp); > return; > } > {code} > -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Work logged] (HDDS-2110) Arbitrary file can be downloaded with the help of ProfilerServlet
[ https://issues.apache.org/jira/browse/HDDS-2110?focusedWorklogId=313327=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-313327 ] ASF GitHub Bot logged work on HDDS-2110: Author: ASF GitHub Bot Created on: 16/Sep/19 22:19 Start Date: 16/Sep/19 22:19 Worklog Time Spent: 10m Work Description: anuengineer commented on issue #1448: HDDS-2110. Arbitrary file can be downloaded with the help of ProfilerServlet URL: https://github.com/apache/hadoop/pull/1448#issuecomment-531980439 Do you want to write a FindBugs Suppression rule with a pointer to HDDS-2110, So that people know why we are suppressing the Findbugs warning?, and also suppress this findbugs? This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 313327) Time Spent: 50m (was: 40m) > Arbitrary file can be downloaded with the help of ProfilerServlet > - > > Key: HDDS-2110 > URL: https://issues.apache.org/jira/browse/HDDS-2110 > Project: Hadoop Distributed Data Store > Issue Type: Bug > Components: Native >Reporter: Aayush >Assignee: Elek, Marton >Priority: Major > Labels: pull-request-available > Time Spent: 50m > Remaining Estimate: 0h > > The LOC 324 in the file > [ProfileServlet.java|https://github.com/apache/hadoop/blob/217bdbd940a96986df3b96899b43caae2b5a9ed2/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/ProfileServlet.java] > is prone to an arbitrary file download:- > {code:java} > protected void doGetDownload(String fileName, final HttpServletRequest req, >final HttpServletResponse resp) throws IOException { > File requestedFile = > ProfileServlet.OUTPUT_DIR.resolve(fileName).toAbsolutePath().toFile();{code} > As the String fileName is directly considered as the requested file. > > Which is called at LOC 180 with HTTP request directly passed:- > {code:java} > if (req.getParameter("file") != null) { > doGetDownload(req.getParameter("file"), req, resp); > return; > } > {code} > -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Work logged] (HDDS-2110) Arbitrary file can be downloaded with the help of ProfilerServlet
[ https://issues.apache.org/jira/browse/HDDS-2110?focusedWorklogId=313035=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-313035 ] ASF GitHub Bot logged work on HDDS-2110: Author: ASF GitHub Bot Created on: 16/Sep/19 14:59 Start Date: 16/Sep/19 14:59 Worklog Time Spent: 10m Work Description: elek commented on issue #1448: HDDS-2110. Arbitrary file can be downloaded with the help of ProfilerServlet URL: https://github.com/apache/hadoop/pull/1448#issuecomment-531816573 /retest This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 313035) Time Spent: 40m (was: 0.5h) > Arbitrary file can be downloaded with the help of ProfilerServlet > - > > Key: HDDS-2110 > URL: https://issues.apache.org/jira/browse/HDDS-2110 > Project: Hadoop Distributed Data Store > Issue Type: Bug > Components: Native >Reporter: Aayush >Assignee: Elek, Marton >Priority: Major > Labels: pull-request-available > Time Spent: 40m > Remaining Estimate: 0h > > The LOC 324 in the file > [ProfileServlet.java|https://github.com/apache/hadoop/blob/217bdbd940a96986df3b96899b43caae2b5a9ed2/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/ProfileServlet.java] > is prone to an arbitrary file download:- > {code:java} > protected void doGetDownload(String fileName, final HttpServletRequest req, >final HttpServletResponse resp) throws IOException { > File requestedFile = > ProfileServlet.OUTPUT_DIR.resolve(fileName).toAbsolutePath().toFile();{code} > As the String fileName is directly considered as the requested file. > > Which is called at LOC 180 with HTTP request directly passed:- > {code:java} > if (req.getParameter("file") != null) { > doGetDownload(req.getParameter("file"), req, resp); > return; > } > {code} > -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Work logged] (HDDS-2110) Arbitrary file can be downloaded with the help of ProfilerServlet
[ https://issues.apache.org/jira/browse/HDDS-2110?focusedWorklogId=312503=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-312503 ] ASF GitHub Bot logged work on HDDS-2110: Author: ASF GitHub Bot Created on: 14/Sep/19 05:09 Start Date: 14/Sep/19 05:09 Worklog Time Spent: 10m Work Description: hadoop-yetus commented on issue #1448: HDDS-2110. Arbitrary file can be downloaded with the help of ProfilerServlet URL: https://github.com/apache/hadoop/pull/1448#issuecomment-531449913 :broken_heart: **-1 overall** | Vote | Subsystem | Runtime | Comment | |::|--:|:|:| | 0 | reexec | 72 | Docker mode activated. | ||| _ Prechecks _ | | +1 | dupname | 0 | No case conflicting files found. | | +1 | @author | 0 | The patch does not contain any @author tags. | | -1 | test4tests | 0 | The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. | ||| _ trunk Compile Tests _ | | -1 | mvninstall | 31 | hadoop-ozone in trunk failed. | | -1 | compile | 19 | hadoop-ozone in trunk failed. | | +1 | checkstyle | 64 | trunk passed | | +1 | mvnsite | 0 | trunk passed | | +1 | shadedclient | 902 | branch has no errors when building and testing our client artifacts. | | -1 | javadoc | 14 | hadoop-hdds in trunk failed. | | -1 | javadoc | 15 | hadoop-ozone in trunk failed. | | 0 | spotbugs | 160 | Used deprecated FindBugs config; considering switching to SpotBugs. | | -1 | findbugs | 23 | hadoop-ozone in trunk failed. | ||| _ Patch Compile Tests _ | | -1 | mvninstall | 30 | hadoop-ozone in the patch failed. | | -1 | compile | 22 | hadoop-ozone in the patch failed. | | -1 | javac | 22 | hadoop-ozone in the patch failed. | | +1 | checkstyle | 51 | the patch passed | | +1 | mvnsite | 0 | the patch passed | | +1 | whitespace | 1 | The patch has no whitespace issues. | | +1 | shadedclient | 721 | patch has no errors when building and testing our client artifacts. | | -1 | javadoc | 13 | hadoop-hdds in the patch failed. | | -1 | javadoc | 14 | hadoop-ozone in the patch failed. | | -1 | findbugs | 164 | hadoop-hdds generated 1 new + 0 unchanged - 0 fixed = 1 total (was 0) | | -1 | findbugs | 22 | hadoop-ozone in the patch failed. | ||| _ Other Tests _ | | -1 | unit | 152 | hadoop-hdds in the patch failed. | | -1 | unit | 24 | hadoop-ozone in the patch failed. | | +1 | asflicense | 29 | The patch does not generate ASF License warnings. | | | | 2927 | | | Reason | Tests | |---:|:--| | FindBugs | module:hadoop-hdds | | | Absolute path traversal in org.apache.hadoop.hdds.server.ProfileServlet.doGet(HttpServletRequest, HttpServletResponse) At ProfileServlet.java:HttpServletResponse) At ProfileServlet.java:[line 181] | | Failed junit tests | hadoop.ozone.container.ozoneimpl.TestOzoneContainer | | | hadoop.ozone.container.keyvalue.TestKeyValueContainer | | Subsystem | Report/Notes | |--:|:-| | Docker | Client=19.03.0 Server=19.03.0 base: https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/1/artifact/out/Dockerfile | | GITHUB PR | https://github.com/apache/hadoop/pull/1448 | | Optional Tests | dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient findbugs checkstyle | | uname | Linux c3afa8e01794 4.15.0-58-generic #64-Ubuntu SMP Tue Aug 6 11:12:41 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux | | Build tool | maven | | Personality | personality/hadoop.sh | | git revision | trunk / 6a9f7ca | | Default Java | 1.8.0_222 | | mvninstall | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/1/artifact/out/branch-mvninstall-hadoop-ozone.txt | | compile | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/1/artifact/out/branch-compile-hadoop-ozone.txt | | javadoc | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/1/artifact/out/branch-javadoc-hadoop-hdds.txt | | javadoc | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/1/artifact/out/branch-javadoc-hadoop-ozone.txt | | findbugs | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/1/artifact/out/branch-findbugs-hadoop-ozone.txt | | mvninstall | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/1/artifact/out/patch-mvninstall-hadoop-ozone.txt | | compile | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/1/artifact/out/patch-compile-hadoop-ozone.txt | | javac | https://builds.apache.org/job/hadoop-multibranch/job/PR-1448/1/artifact/out/patch-compile-hadoop-ozone.txt | | javadoc |
[jira] [Work logged] (HDDS-2110) Arbitrary file can be downloaded with the help of ProfilerServlet
[ https://issues.apache.org/jira/browse/HDDS-2110?focusedWorklogId=312499=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-312499 ] ASF GitHub Bot logged work on HDDS-2110: Author: ASF GitHub Bot Created on: 14/Sep/19 04:51 Start Date: 14/Sep/19 04:51 Worklog Time Spent: 10m Work Description: anuengineer commented on issue #1448: HDDS-2110. Arbitrary file can be downloaded with the help of ProfilerServlet URL: https://github.com/apache/hadoop/pull/1448#issuecomment-531448967 +1, pending Jenkins. This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 312499) Time Spent: 20m (was: 10m) > Arbitrary file can be downloaded with the help of ProfilerServlet > - > > Key: HDDS-2110 > URL: https://issues.apache.org/jira/browse/HDDS-2110 > Project: Hadoop Distributed Data Store > Issue Type: Bug > Components: Native >Reporter: Aayush >Assignee: Elek, Marton >Priority: Major > Labels: pull-request-available > Time Spent: 20m > Remaining Estimate: 0h > > The LOC 324 in the file > [ProfileServlet.java|https://github.com/apache/hadoop/blob/217bdbd940a96986df3b96899b43caae2b5a9ed2/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/ProfileServlet.java] > is prone to an arbitrary file download:- > {code:java} > protected void doGetDownload(String fileName, final HttpServletRequest req, >final HttpServletResponse resp) throws IOException { > File requestedFile = > ProfileServlet.OUTPUT_DIR.resolve(fileName).toAbsolutePath().toFile();{code} > As the String fileName is directly considered as the requested file. > > Which is called at LOC 180 with HTTP request directly passed:- > {code:java} > if (req.getParameter("file") != null) { > doGetDownload(req.getParameter("file"), req, resp); > return; > } > {code} > -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
[jira] [Work logged] (HDDS-2110) Arbitrary file can be downloaded with the help of ProfilerServlet
[ https://issues.apache.org/jira/browse/HDDS-2110?focusedWorklogId=312495=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-312495 ] ASF GitHub Bot logged work on HDDS-2110: Author: ASF GitHub Bot Created on: 14/Sep/19 04:19 Start Date: 14/Sep/19 04:19 Worklog Time Spent: 10m Work Description: elek commented on pull request #1448: HDDS-2110. Arbitrary file can be downloaded with the help of ProfilerServlet URL: https://github.com/apache/hadoop/pull/1448 The LOC 324 in the file [ProfileServlet.java|https://github.com/apache/hadoop/blob/217bdbd940a96986df3b96899b43caae2b5a9ed2/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/ProfileServlet.java] is prone to an arbitrary file download:- {code:java} protected void doGetDownload(String fileName, final HttpServletRequest req, final HttpServletResponse resp) throws IOException { File requestedFile = ProfileServlet.OUTPUT_DIR.resolve(fileName).toAbsolutePath().toFile();{code} As the String fileName is directly considered as the requested file. Which is called at LOC 180 with HTTP request directly passed:- {code:java} if (req.getParameter("file") != null) { doGetDownload(req.getParameter("file"), req, resp); return; } {code} See: https://issues.apache.org/jira/browse/HDDS-2110 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 312495) Remaining Estimate: 0h Time Spent: 10m > Arbitrary file can be downloaded with the help of ProfilerServlet > - > > Key: HDDS-2110 > URL: https://issues.apache.org/jira/browse/HDDS-2110 > Project: Hadoop Distributed Data Store > Issue Type: Bug > Components: Native >Reporter: Aayush >Priority: Major > Labels: pull-request-available > Time Spent: 10m > Remaining Estimate: 0h > > The LOC 324 in the file > [ProfileServlet.java|https://github.com/apache/hadoop/blob/217bdbd940a96986df3b96899b43caae2b5a9ed2/hadoop-hdds/framework/src/main/java/org/apache/hadoop/hdds/server/ProfileServlet.java] > is prone to an arbitrary file download:- > {code:java} > protected void doGetDownload(String fileName, final HttpServletRequest req, >final HttpServletResponse resp) throws IOException { > File requestedFile = > ProfileServlet.OUTPUT_DIR.resolve(fileName).toAbsolutePath().toFile();{code} > As the String fileName is directly considered as the requested file. > > Which is called at LOC 180 with HTTP request directly passed:- > {code:java} > if (req.getParameter("file") != null) { > doGetDownload(req.getParameter("file"), req, resp); > return; > } > {code} > -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org