This is an automated email from the ASF dual-hosted git repository.
bteke pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/hadoop.git
The following commit(s) were added to refs/heads/trunk by this push:
new 9dda9119fe3 YARN-11923: YARN web proxy AmIpFilter allows TRACE,
bypassing sparkUI TRACE block (#8230)
9dda9119fe3 is described below
commit 9dda9119fe3c7a89f39fd0a807a19f5e4f89ea12
Author: Susheel Gupta <[email protected]>
AuthorDate: Wed Feb 11 00:11:31 2026 +0530
YARN-11923: YARN web proxy AmIpFilter allows TRACE, bypassing sparkUI TRACE
block (#8230)
* YARN-11923: YARN web proxy AmIpFilter allows TRACE, bypassing sparkUI
TRACE block
* avoided NPE in AmIpFilter when mocked requests return null
for getMethod()
* fixed eol
---
.../yarn/server/webproxy/amfilter/AmIpFilter.java | 7 ++++
.../server/webproxy/amfilter/TestAmFilter.java | 44 +++++++++++++++++++++-
2 files changed, 49 insertions(+), 2 deletions(-)
diff --git
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/amfilter/AmIpFilter.java
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/amfilter/AmIpFilter.java
index 1b10d225552..777c012f359 100644
---
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/amfilter/AmIpFilter.java
+++
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/main/java/org/apache/hadoop/yarn/server/webproxy/amfilter/AmIpFilter.java
@@ -138,6 +138,13 @@ public void doFilter(ServletRequest req, ServletResponse
resp,
HttpServletRequest httpReq = (HttpServletRequest)req;
HttpServletResponse httpResp = (HttpServletResponse)resp;
+ String method = httpReq.getMethod();
+ if (method != null && (method.equalsIgnoreCase("TRACE") ||
+ method.equalsIgnoreCase("TRACK"))) {
+ httpResp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+ return;
+ }
+
LOG.debug("Remote address for request is: {}", httpReq.getRemoteAddr());
if (!getProxyAddresses().contains(httpReq.getRemoteAddr())) {
diff --git
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/test/java/org/apache/hadoop/yarn/server/webproxy/amfilter/TestAmFilter.java
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/test/java/org/apache/hadoop/yarn/server/webproxy/amfilter/TestAmFilter.java
index 4291e69c1ce..1b3545c767d 100644
---
a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/test/java/org/apache/hadoop/yarn/server/webproxy/amfilter/TestAmFilter.java
+++
b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-web-proxy/src/test/java/org/apache/hadoop/yarn/server/webproxy/amfilter/TestAmFilter.java
@@ -309,6 +309,46 @@ public void doFilter(ServletRequest servletRequest,
}
+ @Test
+ @Timeout(5000)
+ void testTraceAndTrackBlocked() throws Exception {
+ Map<String, String> params = new HashMap<String, String>();
+ params.put(AmIpFilter.PROXY_HOST, proxyHost);
+ params.put(AmIpFilter.PROXY_URI_BASE, proxyUri);
+ FilterConfig config = new DummyFilterConfig(params);
+
+ AmIpFilter testFilter = new AmIpFilter();
+ testFilter.init(config);
+
+ final AtomicBoolean chainCalled = new AtomicBoolean(false);
+ FilterChain chain = new FilterChain() {
+ @Override
+ public void doFilter(ServletRequest servletRequest,
+ ServletResponse servletResponse) throws IOException,
ServletException {
+ chainCalled.set(true);
+ }
+ };
+
+ HttpServletResponseForTest response = new HttpServletResponseForTest();
+
+ HttpServletRequest traceRequest = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(traceRequest.getMethod()).thenReturn("TRACE");
+ Mockito.when(traceRequest.getRemoteAddr()).thenReturn("127.0.0.1");
+ testFilter.doFilter(traceRequest, response, chain);
+ assertEquals(HttpServletResponse.SC_METHOD_NOT_ALLOWED, response.status);
+ assertFalse(chainCalled.get());
+
+ response.status = 0;
+ chainCalled.set(false);
+
+ HttpServletRequest trackRequest = Mockito.mock(HttpServletRequest.class);
+ Mockito.when(trackRequest.getMethod()).thenReturn("TRACK");
+ Mockito.when(trackRequest.getRemoteAddr()).thenReturn("127.0.0.1");
+ testFilter.doFilter(trackRequest, response, chain);
+ assertEquals(HttpServletResponse.SC_METHOD_NOT_ALLOWED, response.status);
+ assertFalse(chainCalled.get());
+ }
+
private class HttpServletResponseForTest implements HttpServletResponse {
String redirectLocation = "";
int status;
@@ -368,12 +408,12 @@ public String encodeRedirectUrl(String url) {
@Override
public void sendError(int sc, String msg) throws IOException {
-
+ this.status = sc;
}
@Override
public void sendError(int sc) throws IOException {
-
+ this.status = sc;
}
@Override
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
