[jira] [Commented] (HBASE-15122) Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings

Mon, 15 Feb 2016 08:17:44 -0800 

    [ 
https://issues.apache.org/jira/browse/HBASE-15122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15147538#comment-15147538
 ] 

Hudson commented on HBASE-15122:
--------------------------------

SUCCESS: Integrated in HBase-1.1-JDK7 #1663 (See 
[https://builds.apache.org/job/HBase-1.1-JDK7/1663/])
HBASE-15122 Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER 
(chenheng: rev a6f53600ddcd489dc671aa0eddcc4bc1f7f87978)
* 
hbase-server/src/test/java/org/apache/hadoop/hbase/http/jmx/TestJMXJsonServlet.java
* pom.xml
* 
hbase-server/src/main/java/org/apache/hadoop/hbase/http/jmx/JMXJsonServlet.java
* hbase-server/src/test/resources/ESAPI.properties
* hbase-server/pom.xml
* hbase-server/src/main/resources/ESAPI.properties
* hbase-resource-bundle/src/main/resources/supplemental-models.xml


> Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings
> ---------------------------------------------------------------------------
>
>                 Key: HBASE-15122
>                 URL: https://issues.apache.org/jira/browse/HBASE-15122
>             Project: HBase
>          Issue Type: Bug
>            Reporter: stack
>            Assignee: Samir Ahmic
>            Priority: Critical
>             Fix For: 2.0.0, 1.3.0, 1.2.1, 1.1.4, 1.0.4
>
>         Attachments: HBASE-15122-v0-master, HBASE-15122.patch, 
> HBASE-15122_v1.patch, HBASE-15122_v2.patch, HBASE-15122_v3.patch
>
>
> In our JMXJsonServlet we are doing this:
>         jsonpcb = request.getParameter(CALLBACK_PARAM);
>         if (jsonpcb != null) {
>           response.setContentType("application/javascript; charset=utf8");
>           writer.write(jsonpcb + "(");
> ... 
> Findbugs complains rightly. There are other instances in our servlets and 
> then there are the pages generated by jamon excluded from findbugs checking 
> (and findbugs volunteers that it is dumb in this regard finding only the most 
> egregious of violations).
> We have no sanitizing tooling in hbase that I know of (correct me if I am 
> wrong). I started to pull on this thread and it runs deep. Our Jamon 
> templating (last updated in 2013 and before that, in 2011) engine doesn't 
> seem to have sanitizing means either and there seems to be outstanding XSS 
> complaint against jamon that goes unaddressed.
> Could pull in something like 
> https://www.owasp.org/index.php/OWASP_Java_Encoder_Project and run all 
> emissions via it or get a templating engine that has sanitizing built in. 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to