[jira] [Work logged] (HADOOP-18069) CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client

ASF GitHub Bot (Jira) Mon, 25 Apr 2022 07:10:07 -0700


     [ 
https://issues.apache.org/jira/browse/HADOOP-18069?focusedWorklogId=761811&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-761811
 ]


ASF GitHub Bot logged work on HADOOP-18069:
-------------------------------------------

                Author: ASF GitHub Bot
            Created on: 25/Apr/22 14:09
            Start Date: 25/Apr/22 14:09
    Worklog Time Spent: 10m 
      Work Description: ashutoshcipher commented on code in PR #4229:
URL: https://github.com/apache/hadoop/pull/4229#discussion_r857669299


##########
hadoop-hdfs-project/hadoop-hdfs-client/src/main/java/org/apache/hadoop/hdfs/web/oauth2/ConfRefreshTokenBasedAccessTokenProvider.java:
##########
@@ -103,36 +104,39 @@ public synchronized String getAccessToken() throws 
IOException {
 
   void refresh() throws IOException {
     try {
-      OkHttpClient client = new OkHttpClient();
-      client.setConnectTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT,
-          TimeUnit.MILLISECONDS);
-      client.setReadTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT,
-                TimeUnit.MILLISECONDS);
+      OkHttpClient client =
+          new 
OkHttpClient.Builder().connectTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT,
+                  TimeUnit.MILLISECONDS)
+              .readTimeout(URLConnectionFactory.DEFAULT_SOCKET_TIMEOUT, 
TimeUnit.MILLISECONDS)
+              .build();
 
-      String bodyString = Utils.postBody(GRANT_TYPE, REFRESH_TOKEN,
-          REFRESH_TOKEN, refreshToken,
-          CLIENT_ID, clientId);
+      String bodyString =
+          Utils.postBody(GRANT_TYPE, REFRESH_TOKEN, REFRESH_TOKEN, 
refreshToken, CLIENT_ID,
+              clientId);
 
       RequestBody body = RequestBody.create(URLENCODED, bodyString);
 
-      Request request = new Request.Builder()
-          .url(refreshURL)
-          .post(body)
-          .build();
+      Request request = new 
Request.Builder().url(refreshURL).post(body).build();
       Response responseBody = client.newCall(request).execute();
 
-      if (responseBody.code() != HttpStatus.SC_OK) {
-        throw new IllegalArgumentException("Received invalid http response: "
-            + responseBody.code() + ", text = " + responseBody.toString());
-      }
+      if (responseBody != null) {
+
+        if (responseBody.code() != HttpStatus.SC_OK) {
+          throw new IllegalArgumentException(
+              "Received invalid http response: " + responseBody.code() + ", 
text = "
+                  + responseBody);
+        }
+
+        Map<?, ?> response = JsonSerialization.mapReader()
+            .readValue(Objects.requireNonNull(responseBody.body()).string());
 
-      Map<?, ?> response = JsonSerialization.mapReader().readValue(
-          responseBody.body().string());
+        String newExpiresIn = response.get(EXPIRES_IN).toString();
+        accessTokenTimer.setExpiresIn(newExpiresIn);
 
-      String newExpiresIn = response.get(EXPIRES_IN).toString();
-      accessTokenTimer.setExpiresIn(newExpiresIn);
+        accessToken = response.get(ACCESS_TOKEN).toString();
+
+      }

Review Comment:
   Tried minimizing the formatting change.





Issue Time Tracking
-------------------

    Worklog Id:     (was: 761811)
    Time Spent: 1.5h  (was: 1h 20m)

> CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client  
> -------------------------------------------------------
>
>                 Key: HADOOP-18069
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18069
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: hdfs-client
>    Affects Versions: 3.3.1
>            Reporter: Eugene Shinn (Truveta)
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 1.5h
>  Remaining Estimate: 0h
>
> Our static vulnerability scanner (Fortify On Demand) detected [NVD - 
> CVE-2021-0341 
> (nist.gov)|https://nvd.nist.gov/vuln/detail/CVE-2021-0341#VulnChangeHistorySection]
>  in our application. We traced the vulnerability to a transitive dependency 
> coming from hadoop-hdfs-client, which depends on okhttp@2.7.5 
> ([hadoop/pom.xml at trunk · apache/hadoop 
> (github.com)|https://github.com/apache/hadoop/blob/trunk/hadoop-project/pom.xml#L137]).
>  To resolve this issue, okhttp should be upgraded to 4.9.2+ (ref: 
> [CVE-2021-0341 · Issue #6724 · square/okhttp 
> (github.com)|https://github.com/square/okhttp/issues/6724]).



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

[jira] [Work logged] (HADOOP-18069) CVE-2021-0341 in okhttp@2.7.5 detected in hdfs-client

Reply via email to