[ https://issues.apache.org/jira/browse/HBASE-15122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15146984#comment-15146984 ]
Hudson commented on HBASE-15122: -------------------------------- SUCCESS: Integrated in HBase-1.3-IT #502 (See [https://builds.apache.org/job/HBase-1.3-IT/502/]) HBASE-15122 Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER (chenheng: rev 29ce46a67fc61f42d06d8d9fed507f65c5d620c4) * hbase-server/src/test/resources/ESAPI.properties * hbase-server/src/test/java/org/apache/hadoop/hbase/http/jmx/TestJMXJsonServlet.java * pom.xml * hbase-server/pom.xml * hbase-resource-bundle/src/main/resources/supplemental-models.xml * hbase-server/src/main/resources/ESAPI.properties * hbase-server/src/main/java/org/apache/hadoop/hbase/http/jmx/JMXJsonServlet.java > Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings > --------------------------------------------------------------------------- > > Key: HBASE-15122 > URL: https://issues.apache.org/jira/browse/HBASE-15122 > Project: HBase > Issue Type: Bug > Reporter: stack > Assignee: Samir Ahmic > Priority: Critical > Fix For: 2.0.0, 1.3.0, 1.2.1, 1.1.4, 1.0.4 > > Attachments: HBASE-15122-v0-master, HBASE-15122.patch, > HBASE-15122_v1.patch, HBASE-15122_v2.patch, HBASE-15122_v3.patch > > > In our JMXJsonServlet we are doing this: > jsonpcb = request.getParameter(CALLBACK_PARAM); > if (jsonpcb != null) { > response.setContentType("application/javascript; charset=utf8"); > writer.write(jsonpcb + "("); > ... > Findbugs complains rightly. There are other instances in our servlets and > then there are the pages generated by jamon excluded from findbugs checking > (and findbugs volunteers that it is dumb in this regard finding only the most > egregious of violations). > We have no sanitizing tooling in hbase that I know of (correct me if I am > wrong). I started to pull on this thread and it runs deep. Our Jamon > templating (last updated in 2013 and before that, in 2011) engine doesn't > seem to have sanitizing means either and there seems to be outstanding XSS > complaint against jamon that goes unaddressed. > Could pull in something like > https://www.owasp.org/index.php/OWASP_Java_Encoder_Project and run all > emissions via it or get a templating engine that has sanitizing built in. -- This message was sent by Atlassian JIRA (v6.3.4#6332)