[
https://issues.apache.org/jira/browse/YARN-10972?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Wei-Chiu Chuang resolved YARN-10972.
------------------------------------
Fix Version/s: 3.5.0
Resolution: Fixed
> Remove stack traces from Jetty's response for Security Reasons
> --------------------------------------------------------------
>
> Key: YARN-10972
> URL: https://issues.apache.org/jira/browse/YARN-10972
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Tamas Domok
> Assignee: Tamas Domok
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.5.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> *HttpServer2* uses the default error handler for Jetty which renders the
> stack-trace in the response's output. This is a potential security
> vulnerability.
>
> The stack-trace can be disabled, e.g.:
> {code:java}
> webAppContext.getErrorHandler().setShowStacks(false); {code}
> An error handler should be used that does not render the error message
> neither the stack-trace in the output for security reasons. This should be
> configurable for backward compatibility.
> The logs should contain the information in case of errors for debugging
> purposes.
>
> *Verbose Error Messages*
> During the test it has been revealed that in case of some requests, server
> throws out an error exception. The exception message may contains a lot of
> detailed technical information, including filenames, absolute paths, but also
> libraries, classes and methods used. This information might be crucial in
> conducting other, critical attacks (like Arbitrary File Read, Code Execution
> or
> platform specific attacks). Such detail information should be available only
> to
> application developers and system administrators and should never be
> revealed to the end user.
> [https://cwe.mitre.org/data/definitions/209.html]
>
> *Before:*
> {code:java}
> curl
> "http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok"curl
>
> "http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok";<html><head><meta
> http-equiv="Content-Type" content="text/html;charset=utf-8"/><title>Error
> 500 java.lang.IllegalArgumentException: Illegal character in path at index
> 51:
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</title></head><body><h2>HTTP
> ERROR 500 java.lang.IllegalArgumentException: Illegal character in path at
> index 51:
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</h2><table><tr><th>URI:</th><td>/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>STATUS:</th><td>500</td></tr><tr><th>MESSAGE:</th><td>java.lang.IllegalArgumentException:
> Illegal character in path at index 51:
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>SERVLET:</th><td>org.apache.hadoop.http.WebServlet-ccb4b1b</td></tr><tr><th>CAUSED
> BY:</th><td>java.lang.IllegalArgumentException: Illegal character in path at
> index 51:
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>CAUSED
> BY:</th><td>java.net.URISyntaxException: Illegal character in path at index
> 51:
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr></table><h3>Caused
> by:</h3><pre>java.lang.IllegalArgumentException: Illegal character in path
> at index 51:
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml at
> java.net.URI.create(URI.java:852) at
> javax.ws.rs.core.UriBuilder.fromUri(UriBuilder.java:95) at
> com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:911)
> at
> com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:875)
> at
> org.apache.hadoop.yarn.server.resourcemanager.webapp.RMWebAppFilter.doFilter(RMWebAppFilter.java:180)
> at
> com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:829)
> at
> com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
> at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133) at
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
> at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:650)
> at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:592)
> at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
> at
> org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1827)
> at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
> at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45) at
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
> at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
> at
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
> at
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
> at
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> at
> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
> at
> org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:179)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> at org.eclipse.jetty.server.Server.handle(Server.java:516) at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388) at
> org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633) at
> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380) at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
> at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at
> org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:137)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
> at java.lang.Thread.run(Thread.java:748)Caused by:
> java.net.URISyntaxException: Illegal character in path at index 51:
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml at
> java.net.URI$Parser.fail(URI.java:2847) at
> java.net.URI$Parser.checkChars(URI.java:3020) at
> java.net.URI$Parser.parseHierarchical(URI.java:3104) at
> java.net.URI$Parser.parse(URI.java:3052) at
> java.net.URI.<init>(URI.java:588) at java.net.URI.create(URI.java:850)
> ... 51 more</pre>
> </body></html>{code}
>
> *Expected:*
> {code:java}
> curl
> "http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok";
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 500</title>
> </head>
> <body><h2>HTTP ERROR 500</h2>
> </html> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
