OPTIONS methods

busbey Fri, 20 Apr 2018 20:47:28 -0700

HBASE-20406 HBase Thrift HTTP - Shouldn't handle TRACE/OPTIONS methods

Signed-off-by: Josh Elser <els...@apache.org>
Signed-off-by: Ted Yu <yuzhih...@gmail.com>
Signed-off-by: Sean Busbey <bus...@apache.org>


 Conflicts:
        
hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestHttpServer.java
        
hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/e6018903
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/e6018903
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/e6018903

Branch: refs/heads/branch-1
Commit: e60189035e1974226f6176be52f29dff79a1fb18
Parents: eacf3cb
Author: Kevin Risden <kris...@apache.org>
Authored: Thu Apr 12 21:08:15 2018 -0500
Committer: Sean Busbey <bus...@apache.org>
Committed: Fri Apr 20 22:45:49 2018 -0500

----------------------------------------------------------------------
 .../hadoop/hbase/http/TestHttpServer.java       | 13 ++++++++++--
 .../hadoop/hbase/thrift/ThriftServerRunner.java |  2 ++
 .../hbase/thrift/TestThriftHttpServer.java      | 21 ++++++++++++++++----
 3 files changed, 30 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/e6018903/hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestHttpServer.java
----------------------------------------------------------------------
diff --git 
a/hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestHttpServer.java 
b/hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestHttpServer.java
index cec3fd1..2cb6cb4 100644
--- 
a/hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestHttpServer.java
+++ 
b/hbase-server/src/test/java/org/apache/hadoop/hbase/http/TestHttpServer.java
@@ -608,8 +608,6 @@ public class TestHttpServer extends 
HttpServerFunctionalTest {
     myServer.stop();
   }
 
-
-
   @Test
   public void testNoCacheHeader() throws Exception {
     URL url = new URL(baseUrl, "/echo?a=b&c=d");
@@ -634,4 +632,15 @@ public class TestHttpServer extends 
HttpServerFunctionalTest {
         .build();
     s.stop();
   }
+
+  @Test
+  public void testHttpMethods() throws Exception {
+    // HTTP TRACE method should be disabled for security
+    // See https://www.owasp.org/index.php/Cross_Site_Tracing
+    URL url = new URL(baseUrl, "/echo?a=b");
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    conn.setRequestMethod("TRACE");
+    conn.connect();
+    assertEquals(HttpURLConnection.HTTP_FORBIDDEN, conn.getResponseCode());
+  }
 }

http://git-wip-us.apache.org/repos/asf/hbase/blob/e6018903/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
----------------------------------------------------------------------
diff --git 
a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
 
b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
index 07c18a7..8292e91 100644
--- 
a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
+++ 
b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
@@ -100,6 +100,7 @@ import org.apache.hadoop.hbase.thrift.generated.TScan;
 import org.apache.hadoop.hbase.util.Bytes;
 import org.apache.hadoop.hbase.util.ConnectionCache;
 import org.apache.hadoop.hbase.util.DNS;
+import org.apache.hadoop.hbase.util.HttpServerUtil;
 import org.apache.hadoop.hbase.util.JvmPauseMonitor;
 import org.apache.hadoop.hbase.util.Strings;
 import org.apache.hadoop.security.SaslRpcServer.SaslGssCallbackHandler;
@@ -422,6 +423,7 @@ public class ThriftServerRunner implements Runnable {
     String httpPath = "/*";
     httpServer.setHandler(context);
     context.addServlet(new ServletHolder(thriftHttpServlet), httpPath);
+    HttpServerUtil.constrainHttpMethods(context);
 
     // set up Jetty and run the embedded server
     Connector connector = new SelectChannelConnector();

http://git-wip-us.apache.org/repos/asf/hbase/blob/e6018903/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
----------------------------------------------------------------------
diff --git 
a/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
 
b/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
index cf14e87..ed91a29 100644
--- 
a/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
+++ 
b/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
@@ -22,6 +22,8 @@ import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.fail;
 
+import java.net.HttpURLConnection;
+import java.net.URL;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -40,6 +42,7 @@ import org.apache.thrift.protocol.TProtocol;
 import org.apache.thrift.transport.THttpClient;
 import org.apache.thrift.transport.TTransportException;
 import org.junit.AfterClass;
+import org.junit.Assert;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
@@ -166,8 +169,10 @@ public class TestThriftHttpServer {
       Thread.sleep(100);
     }
 
+    String url = "http://"+ HConstants.LOCALHOST + ":" + port;
     try {
-      talkToThriftServer(customHeaderSize);
+      checkHttpMethods(url);
+      talkToThriftServer(url, customHeaderSize);
     } catch (Exception ex) {
       clientSideException = ex;
     } finally {
@@ -184,11 +189,19 @@ public class TestThriftHttpServer {
     }
   }
 
+  private void checkHttpMethods(String url) throws Exception {
+    // HTTP TRACE method should be disabled for security
+    // See https://www.owasp.org/index.php/Cross_Site_Tracing
+    HttpURLConnection conn = (HttpURLConnection) new URL(url).openConnection();
+    conn.setRequestMethod("TRACE");
+    conn.connect();
+    Assert.assertEquals(HttpURLConnection.HTTP_FORBIDDEN, 
conn.getResponseCode());
+  }
+
   private static volatile boolean tableCreated = false;
 
-  private void talkToThriftServer(int customHeaderSize) throws Exception {
-    THttpClient httpClient = new THttpClient(
-        "http://"+ HConstants.LOCALHOST + ":" + port);
+  private void talkToThriftServer(String url, int customHeaderSize) throws 
Exception {
+    THttpClient httpClient = new THttpClient(url);
     httpClient.open();
 
     if (customHeaderSize > 0) {

[6/6] hbase git commit: HBASE-20406 HBase Thrift HTTP - Shouldn't handle TRACE/OPTIONS methods

Reply via email to