[jira] [Commented] (HBASE-15946) Eliminate possible security concerns in RS web UI's store file metrics

Thu, 02 Jun 2016 15:16:26 -0700 

    [ 
https://issues.apache.org/jira/browse/HBASE-15946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15313189#comment-15313189
 ] 

Enis Soztutar commented on HBASE-15946:
---------------------------------------

Thanks for working on this. 

run() method should never call System.exit(). It is broken already, but while 
we are at it, can you please fix it. Run should return the exitCode, and main 
will do the exit. In case you call it from java via ToolRunner, this makes sure 
that the Tool does not quit the VM. 
{code}
+        if (exitCode != 0) {
+          System.exit(exitCode);
+        }
       } catch (IOException ex) {
         LOG.error("Error reading " + fileName, ex);
         System.exit(-2);
{code}

Can't we get the output stream of the jsp and write directly instead of routing 
through a temp file?
If security is a concern, instead of passing the full path to the page, we 
should instead pass the regionname, table name and file name and let HBase 
figure out the location of the file. 

> Eliminate possible security concerns in RS web UI's store file metrics
> ----------------------------------------------------------------------
>
>                 Key: HBASE-15946
>                 URL: https://issues.apache.org/jira/browse/HBASE-15946
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Sean Mackrory
>            Assignee: Mikhail Antonov
>         Attachments: HBASE-15946-v1.patch
>
>
> More from static code analysis: it warns about the invoking of a separate 
> command ("hbase hfile -s -f ...") as a possible security issue in 
> hbase-server/src/main/resources/hbase-webapps/regionserver/storeFile.jsp.
> It looks to me like one cannot inject arbitrary shell script or even 
> arbitrary arguments: ProcessBuilder makes that fairly safe and only allows 
> the user to specify the argument that comes after -f. However that does 
> potentially allow them to have the daemon's user access files they shouldn't 
> be able to touch, albeit only for reading.
> To more explicitly eliminate any threats here, we should add some validation 
> that the file is at least within HBase's root directory and use the Java API 
> directly instead of invoking a separate executable.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to