[jira] [Commented] (HBASE-15122) Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings

Mon, 01 Feb 2016 10:42:08 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-15122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15126761#comment-15126761
 ] 

Sean Busbey commented on HBASE-15122:
-------------------------------------

yep, if this adds the dependencies then it also needs to include any needed 
license fixes. I thought in prior tickets we had decided to avoid adding the 
OWASP implementations ([~eclark] do you recall? I seem to recall you were the 
initial objection)

I'm concerned about the Xerces reference. We generally want to avoid bringing 
in Xerces (because it's a notorious pain on java classpaths). It's not your 
issue if something else brought it in, but we (the project) should figure out 
when/how that came in and if we can avoid it.

> Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings
> ---------------------------------------------------------------------------
>
>                 Key: HBASE-15122
>                 URL: https://issues.apache.org/jira/browse/HBASE-15122
>             Project: HBase
>          Issue Type: Bug
>            Reporter: stack
>            Priority: Critical
>         Attachments: HBASE-15122.patch
>
>
> In our JMXJsonServlet we are doing this:
>         jsonpcb = request.getParameter(CALLBACK_PARAM);
>         if (jsonpcb != null) {
>           response.setContentType("application/javascript; charset=utf8");
>           writer.write(jsonpcb + "(");
> ... 
> Findbugs complains rightly. There are other instances in our servlets and 
> then there are the pages generated by jamon excluded from findbugs checking 
> (and findbugs volunteers that it is dumb in this regard finding only the most 
> egregious of violations).
> We have no sanitizing tooling in hbase that I know of (correct me if I am 
> wrong). I started to pull on this thread and it runs deep. Our Jamon 
> templating (last updated in 2013 and before that, in 2011) engine doesn't 
> seem to have sanitizing means either and there seems to be outstanding XSS 
> complaint against jamon that goes unaddressed.
> Could pull in something like 
> https://www.owasp.org/index.php/OWASP_Java_Encoder_Project and run all 
> emissions via it or get a templating engine that has sanitizing built in. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to