[
https://issues.apache.org/jira/browse/YARN-10972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18046731#comment-18046731
]
ASF GitHub Bot commented on YARN-10972:
---------------------------------------
hadoop-yetus commented on PR #3502:
URL: https://github.com/apache/hadoop/pull/3502#issuecomment-3676590340
:broken_heart: **-1 overall**
| Vote | Subsystem | Runtime | Logfile | Comment |
|:----:|----------:|--------:|:--------:|:-------:|
| +0 :ok: | reexec | 1m 21s | | Docker mode activated. |
|||| _ Prechecks _ |
| +1 :green_heart: | dupname | 0m 0s | | No case conflicting files
found. |
| +0 :ok: | codespell | 0m 1s | | codespell was not available. |
| +0 :ok: | detsecrets | 0m 1s | | detect-secrets was not available.
|
| +1 :green_heart: | @author | 0m 0s | | The patch does not contain
any @author tags. |
| -1 :x: | test4tests | 0m 0s | | The patch doesn't appear to include
any new or modified tests. Please justify why no new tests are needed for this
patch. Also please list what manual steps were performed to verify this patch.
|
|||| _ trunk Compile Tests _ |
| +1 :green_heart: | mvninstall | 34m 46s | | trunk passed |
| +1 :green_heart: | compile | 17m 19s | | trunk passed with JDK
Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04 |
| +1 :green_heart: | compile | 17m 50s | | trunk passed with JDK
Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04 |
| +1 :green_heart: | checkstyle | 1m 12s | | trunk passed |
| +1 :green_heart: | mvnsite | 2m 0s | | trunk passed |
| +1 :green_heart: | javadoc | 1m 35s | | trunk passed with JDK
Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04 |
| +1 :green_heart: | javadoc | 1m 23s | | trunk passed with JDK
Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04 |
| +1 :green_heart: | spotbugs | 3m 12s | | trunk passed |
| +1 :green_heart: | shadedclient | 29m 3s | | branch has no errors
when building and testing our client artifacts. |
|||| _ Patch Compile Tests _ |
| +1 :green_heart: | mvninstall | 1m 6s | | the patch passed |
| +1 :green_heart: | compile | 16m 22s | | the patch passed with JDK
Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04 |
| +1 :green_heart: | javac | 16m 22s | | the patch passed |
| +1 :green_heart: | compile | 17m 32s | | the patch passed with JDK
Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04 |
| +1 :green_heart: | javac | 17m 32s | | the patch passed |
| +1 :green_heart: | blanks | 0m 0s | | The patch has no blanks
issues. |
| +1 :green_heart: | checkstyle | 1m 10s | | the patch passed |
| +1 :green_heart: | mvnsite | 2m 0s | | the patch passed |
| +1 :green_heart: | javadoc | 1m 28s | | the patch passed with JDK
Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04 |
| +1 :green_heart: | javadoc | 1m 26s | | the patch passed with JDK
Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04 |
| +1 :green_heart: | spotbugs | 3m 18s | | the patch passed |
| +1 :green_heart: | shadedclient | 31m 18s | | patch has no errors
when building and testing our client artifacts. |
|||| _ Other Tests _ |
| +1 :green_heart: | unit | 23m 44s | | hadoop-common in the patch
passed. |
| +1 :green_heart: | asflicense | 1m 8s | | The patch does not
generate ASF License warnings. |
| | | 211m 58s | | |
| Subsystem | Report/Notes |
|----------:|:-------------|
| Docker | ClientAPI=1.52 ServerAPI=1.52 base:
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3502/1/artifact/out/Dockerfile
|
| GITHUB PR | https://github.com/apache/hadoop/pull/3502 |
| Optional Tests | dupname asflicense compile javac javadoc mvninstall
mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets |
| uname | Linux 43bd955a1955 5.15.0-156-generic #166-Ubuntu SMP Sat Aug 9
00:02:46 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux |
| Build tool | maven |
| Personality | dev-support/bin/hadoop.sh |
| git revision | trunk / d6be721378c0a0d75227b46e2309fe20900d1b89 |
| Default Java | Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04 |
| Multi-JDK versions |
/usr/lib/jvm/java-21-openjdk-amd64:Ubuntu-21.0.7+6-Ubuntu-0ubuntu120.04
/usr/lib/jvm/java-17-openjdk-amd64:Ubuntu-17.0.15+6-Ubuntu-0ubuntu120.04 |
| Test Results |
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3502/1/testReport/ |
| Max. process+thread count | 3153 (vs. ulimit of 5500) |
| modules | C: hadoop-common-project/hadoop-common U:
hadoop-common-project/hadoop-common |
| Console output |
https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-3502/1/console |
| versions | git=2.25.1 maven=3.9.11 spotbugs=4.9.7 |
| Powered by | Apache Yetus 0.14.0 https://yetus.apache.org |
This message was automatically generated.
> Remove stack traces from Jetty's response for Security Reasons
> --------------------------------------------------------------
>
> Key: YARN-10972
> URL: https://issues.apache.org/jira/browse/YARN-10972
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Tamas Domok
> Assignee: Tamas Domok
> Priority: Major
> Labels: pull-request-available
> Time Spent: 50m
> Remaining Estimate: 0h
>
> *HttpServer2* uses the default error handler for Jetty which renders the
> stack-trace in the response's output. This is a potential security
> vulnerability.
>
> The stack-trace can be disabled, e.g.:
> {code:java}
> webAppContext.getErrorHandler().setShowStacks(false); {code}
> An error handler should be used that does not render the error message
> neither the stack-trace in the output for security reasons. This should be
> configurable for backward compatibility.
> The logs should contain the information in case of errors for debugging
> purposes.
>
> *Verbose Error Messages*
> During the test it has been revealed that in case of some requests, server
> throws out an error exception. The exception message may contains a lot of
> detailed technical information, including filenames, absolute paths, but also
> libraries, classes and methods used. This information might be crucial in
> conducting other, critical attacks (like Arbitrary File Read, Code Execution
> or
> platform specific attacks). Such detail information should be available only
> to
> application developers and system administrators and should never be
> revealed to the end user.
> [https://cwe.mitre.org/data/definitions/209.html]
>
> *Before:*
> {code:java}
> curl
> "http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok"curl
>
> "http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok";<html><head><meta
> http-equiv="Content-Type" content="text/html;charset=utf-8"/><title>Error
> 500 java.lang.IllegalArgumentException: Illegal character in path at index
> 51:
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</title></head><body><h2>HTTP
> ERROR 500 java.lang.IllegalArgumentException: Illegal character in path at
> index 51:
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</h2><table><tr><th>URI:</th><td>/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>STATUS:</th><td>500</td></tr><tr><th>MESSAGE:</th><td>java.lang.IllegalArgumentException:
> Illegal character in path at index 51:
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>SERVLET:</th><td>org.apache.hadoop.http.WebServlet-ccb4b1b</td></tr><tr><th>CAUSED
> BY:</th><td>java.lang.IllegalArgumentException: Illegal character in path at
> index 51:
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>CAUSED
> BY:</th><td>java.net.URISyntaxException: Illegal character in path at index
> 51:
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr></table><h3>Caused
> by:</h3><pre>java.lang.IllegalArgumentException: Illegal character in path
> at index 51:
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml at
> java.net.URI.create(URI.java:852) at
> javax.ws.rs.core.UriBuilder.fromUri(UriBuilder.java:95) at
> com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:911)
> at
> com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:875)
> at
> org.apache.hadoop.yarn.server.resourcemanager.webapp.RMWebAppFilter.doFilter(RMWebAppFilter.java:180)
> at
> com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:829)
> at
> com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
> at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133) at
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
> at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:650)
> at
> org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:592)
> at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
> at
> org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1827)
> at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
> at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45) at
> org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at
> org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601)
> at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
> at
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235)
> at
> org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188)
> at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501)
> at
> org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186)
> at
> org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
> at
> org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146)
> at
> org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:179)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> at org.eclipse.jetty.server.Server.handle(Server.java:516) at
> org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388) at
> org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633) at
> org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380) at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277)
> at
> org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311)
> at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at
> org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173)
> at
> org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:137)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034)
> at java.lang.Thread.run(Thread.java:748)Caused by:
> java.net.URISyntaxException: Illegal character in path at index 51:
> http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml at
> java.net.URI$Parser.fail(URI.java:2847) at
> java.net.URI$Parser.checkChars(URI.java:3020) at
> java.net.URI$Parser.parseHierarchical(URI.java:3104) at
> java.net.URI$Parser.parse(URI.java:3052) at
> java.net.URI.<init>(URI.java:588) at java.net.URI.create(URI.java:850)
> ... 51 more</pre>
> </body></html>{code}
>
> *Expected:*
> {code:java}
> curl
> "http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok";
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 500</title>
> </head>
> <body><h2>HTTP ERROR 500</h2>
> </html> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
