[
https://issues.apache.org/jira/browse/HBASE-15187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15163277#comment-15163277
]
stack commented on HBASE-15187:
-------------------------------
Answer my questions [~ted_yu] please. They are simple enough. I think I know
what the answers are but am asking you since you are the one hauling in the
patch.
I started reading your citations but it just made me want to ask more questions
(Chris describes NN attack which made me wonder what the equivalent CSRF attack
vector in hbase would look like -- do you know? Stick it in the description if
you do... the design doc talks about REST but why are our other servlets not
also vulnerable -- the OWASP page you cite doesn't say anything about
REST-only?)
The pointer to HBASE-15122 is immediately about XSS but I was referring to the
fact that it pulls in the OWASP library which seems well conversant with CSRF
attacks (going by the page you cite). I mentioned HBASE-15122 because I was
wondering the OWASP library has tooling to help with CSRF (It seems like no
magic bullet, just a bunch of policy to be applied -- but I was asking you).
> Integrate CSRF prevention filter to REST gateway
> ------------------------------------------------
>
> Key: HBASE-15187
> URL: https://issues.apache.org/jira/browse/HBASE-15187
> Project: HBase
> Issue Type: Bug
> Reporter: Ted Yu
> Assignee: Ted Yu
> Attachments: HBASE-15187.v1.patch, HBASE-15187.v2.patch,
> HBASE-15187.v3.patch, HBASE-15187.v4.patch, HBASE-15187.v5.patch,
> HBASE-15187.v6.patch, HBASE-15187.v7.patch, HBASE-15187.v8.patch
>
>
> HADOOP-12691 introduced a filter in Hadoop Common to help REST APIs guard
> against cross-site request forgery attacks.
> This issue tracks the integration of that filter into HBase REST gateway.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
