Thanks Paul. Filed DRILL-7351 for this. It's worth noting that hosting a web app (such as the Drill web UI) does not prevent CSRF attacks as a malicious web site can still attempt to call into private/non-public websites (eg. from Javascript in the browser), it may not get access to the reply but even then can trigger a mutation (eg. a POST request) on the private web app.
Best regards, Dondi On Fri, Aug 16, 2019 at 11:58 AM Paul Rogers <[email protected]> wrote: > Hi Don, > > The one saving grace is that no one should ever host the Drill web UI on a > public-facing web site. The UI provides lots of admin operations that one > would not really want to expose openly. > > > A much better solution would be to wrap Drill in a custom-made web app > that controls what someone can do; the same way that a DB is exposed via a > custom app, not by a public-facing PhpMyAdmin... > > Still, this should be fixed. Please file a JIRA with your findings. > > Thanks, > - Paul > > > > On Thursday, August 15, 2019, 8:33:19 PM PDT, Don Perial < > [email protected]> wrote: > > It seems that there is no way to protect the WebUI from CSRF and the fact > that the value for the access-control-allow-origin header is '*' appears to > confound this issue as well. I have searched the documentation and also did > quite a bit of Googling but have not seen any references to this. Is this > known and/or intended behavior? > The attached file should demonstrate the (elementary) attack. > > Thanks In advance, > P >
