we wont be needing fix for this (CID 167355) as we have already handled
CSRF in RangerCSRFPreventionFilter for PUT,POST and DELETE requests from UI.
On Thu, Oct 5, 2017 at 11:38 PM, Abhay Kulkarni <akulka...@hortonworks.com>
wrote:
> Ranger contributors/committers,
>
> Please review and fix as appropriate.
>
> Thanks!
> -Abhay
>
> On 10/5/17, 12:44 AM, "scan-ad...@coverity.com" <scan-ad...@coverity.com>
> wrote:
>
> >
> >Hi,
> >
> >Please find the latest report on new defect(s) introduced to Apache
> >Ranger found with Coverity Scan.
> >
> >1 new defect(s) introduced to Apache Ranger found with Coverity Scan.
> >3 defect(s), reported by Coverity Scan earlier, were marked fixed in the
> >recent build analyzed by Coverity Scan.
> >
> >New defect(s) Reported-by: Coverity Scan
> >Showing 1 of 1 defect(s)
> >
> >
> >** CID 167355: High impact security (CSRF)
> >/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java: 1145
> >in
> >org.apache.ranger.rest.XUserREST.deleteSingleGroupByGroupId(
> javax.servlet.
> >http.HttpServletRequest, java.lang.Long)()
> >
> >
> >___________________________________________________________
> _______________
> >______________________________
> >*** CID 167355: High impact security (CSRF)
> >/security-admin/src/main/java/org/apache/ranger/rest/XUserREST.java: 1145
> >in
> >org.apache.ranger.rest.XUserREST.deleteSingleGroupByGroupId(
> javax.servlet.
> >http.HttpServletRequest, java.lang.Long)()
> >1139 }
> >1140
> >1141 @DELETE
> >1142 @Path("/secure/groups/id/{groupId}")
> >1143 @Produces({ "application/xml", "application/json" })
> >1144 @PreAuthorize("hasRole('ROLE_SYS_ADMIN')")
> >>>> CID 167355: High impact security (CSRF)
> >>>> No CSRF protection was detected anywhere in this application. If
> >>>>this is not correct, please refer to the CSRF checker reference on how
> >>>>to specify it via checker option.
> >1145 public void deleteSingleGroupByGroupId(@Context
> >HttpServletRequest request, @PathParam("groupId") Long groupId) {
> >1146 String forceDeleteStr =
> >request.getParameter("forceDelete");
> >1147 boolean forceDelete = false;
> >1148 if (StringUtils.isNotEmpty(forceDeleteStr) &&
> >"true".equalsIgnoreCase(forceDeleteStr)) {
> >1149 forceDelete = true;
> >1150 }
> >
> >
> >___________________________________________________________
> _______________
> >______________________________
> >To view the defects in Coverity Scan visit,
> >https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-
> 2BWcWUl-2F-2BfV0V
> >05UPxvVjWch-2Bd2MGckcRZSbhom32dlDl11LWEm9nX11zsOWMf5dv3Q9Mogo-
> 2FGua3FsLRTF
> >ft2V-2FOFC9o0P2e0-3D_eYGgfjRVvnymu7-2Fg39LOcg-
> 2Fwh01uR5A1l1-2BVcR3oH7pU8UU
> >tymA61jLVPU8teODZcUnEX5B-2B5hX1eFAt8zyDkMf5MtEV28Pb4WsJ
> EO8N8Kfxc-2ByhjhR1q
> >MXymSicoD6FE0Xx-2Ba-2BwyEP1-2BYlAg8tBkmxe20hj-
> 2FwktsbrcOifoTUjZaLnqFkEP4eV
> >nJnYsYl-2BY7Fw6TM8FVssdZqtJYgThFTCu6NKtlAYJqGSZUma3Fnk-3D
> >
> >To manage Coverity Scan email notifications for
> >"akulka...@hortonworks.com", click
> >https://u2389337.ct.sendgrid.net/wf/click?upn=08onrYu34A-
> 2BWcWUl-2F-2BfV0V
> >05UPxvVjWch-2Bd2MGckcRbVDbis712qZDP-2FA8y06Nq4rq896qxTW4IjcOjjCxcj
> hdwy7bkx
> >0GaYF4jcZRTENcC8UedPeL4l2t0VBzV197ihjH14Ve5jAkEZTKufdAcDuKGD
> Ix74O-2BWzK0Pb
> >pXpwQLY-3D_eYGgfjRVvnymu7-2Fg39LOcg-2Fwh01uR5A1l1-
> 2BVcR3oH7pU8UUtymA61jLVP
> >U8teODZcUnEX5B-2B5hX1eFAt8zyDkNjLEGz8ctryIMUA
> s1YwGqx3pLyLgLlMSPemMYFX-2FjZ
> >-2BgLVVAMkO15jBW1SDLKiLTHxoQM9wbbMoKO8RQX8NT7-
> 2FApHycHav1J274XVOSzaOHsuYRO
> >OQv2UY5NyZpyHapPo5xJCFCBZla3x0wJgIH21k-3D
> >
>
>
--
Regards,
Nikhil Purbhe
