stack created HBASE-15122:
-----------------------------
Summary: Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER
Key: HBASE-15122
URL: https://issues.apache.org/jira/browse/HBASE-15122
Project: HBase
Issue Type: Bug
Reporter: stack
Priority: Critical
In our JMXJsonServlet we are doing this:
jsonpcb = request.getParameter(CALLBACK_PARAM);
if (jsonpcb != null) {
response.setContentType("application/javascript; charset=utf8");
writer.write(jsonpcb + "(");
...
Findbugs complains rightly. There are other instances in our servlets and then
there are the pages generated by jamon excluded from findbugs checking (and
findbugs volunteers that it is dumb in this regard finding only the most
egregious of violations).
We have no sanitizing tooling in hbase that I know of (correct me if I am
wrong). I started to pull on this thread and it runs deep. Our Jamon templating
(last updated in 2013 and before that, in 2011) engine doesn't seem to have
sanitizing means either and there seems to be outstanding XSS complaint against
jamon that goes unaddressed.
Could pull in something like
https://www.owasp.org/index.php/OWASP_Java_Encoder_Project and run all
emissions via it or get a templating engine that has sanitizing built in.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
