[ https://issues.apache.org/jira/browse/HBASE-15122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15135857#comment-15135857 ]
Hudson commented on HBASE-15122: -------------------------------- FAILURE: Integrated in HBase-Trunk_matrix #688 (See [https://builds.apache.org/job/HBase-Trunk_matrix/688/]) Revert "HBASE-15122 Servlets generate (stack: rev d82ae421262b5adc242fd7e04d1c774cdb43e639) * hbase-server/src/test/resources/ESAPI.properties * hbase-server/src/main/java/org/apache/hadoop/hbase/http/jmx/JMXJsonServlet.java * hbase-resource-bundle/src/main/resources/supplemental-models.xml * pom.xml * hbase-server/pom.xml * hbase-server/src/test/java/org/apache/hadoop/hbase/http/jmx/TestJMXJsonServlet.java * hbase-server/src/main/resources/ESAPI.properties > Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings > --------------------------------------------------------------------------- > > Key: HBASE-15122 > URL: https://issues.apache.org/jira/browse/HBASE-15122 > Project: HBase > Issue Type: Bug > Reporter: stack > Priority: Critical > Attachments: HBASE-15122-v0-master, HBASE-15122.patch, > HBASE-15122_v1.patch, HBASE-15122_v2.patch, HBASE-15122_v3.patch > > > In our JMXJsonServlet we are doing this: > jsonpcb = request.getParameter(CALLBACK_PARAM); > if (jsonpcb != null) { > response.setContentType("application/javascript; charset=utf8"); > writer.write(jsonpcb + "("); > ... > Findbugs complains rightly. There are other instances in our servlets and > then there are the pages generated by jamon excluded from findbugs checking > (and findbugs volunteers that it is dumb in this regard finding only the most > egregious of violations). > We have no sanitizing tooling in hbase that I know of (correct me if I am > wrong). I started to pull on this thread and it runs deep. Our Jamon > templating (last updated in 2013 and before that, in 2011) engine doesn't > seem to have sanitizing means either and there seems to be outstanding XSS > complaint against jamon that goes unaddressed. > Could pull in something like > https://www.owasp.org/index.php/OWASP_Java_Encoder_Project and run all > emissions via it or get a templating engine that has sanitizing built in. -- This message was sent by Atlassian JIRA (v6.3.4#6332)