[ https://issues.apache.org/jira/browse/HBASE-15122?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean Busbey updated HBASE-15122: -------------------------------- Component/s: UI > Servlets generate XSS_REQUEST_PARAMETER_TO_SERVLET_WRITER findbugs warnings > --------------------------------------------------------------------------- > > Key: HBASE-15122 > URL: https://issues.apache.org/jira/browse/HBASE-15122 > Project: HBase > Issue Type: Bug > Components: UI > Reporter: stack > Assignee: Samir Ahmic > Priority: Critical > Fix For: 2.0.0, 1.2.0, 1.3.0, 1.1.4, 1.0.4 > > Attachments: HBASE-15122-v0-master, HBASE-15122.patch, > HBASE-15122_v1.patch, HBASE-15122_v2.patch, HBASE-15122_v3.patch > > > In our JMXJsonServlet we are doing this: > jsonpcb = request.getParameter(CALLBACK_PARAM); > if (jsonpcb != null) { > response.setContentType("application/javascript; charset=utf8"); > writer.write(jsonpcb + "("); > ... > Findbugs complains rightly. There are other instances in our servlets and > then there are the pages generated by jamon excluded from findbugs checking > (and findbugs volunteers that it is dumb in this regard finding only the most > egregious of violations). > We have no sanitizing tooling in hbase that I know of (correct me if I am > wrong). I started to pull on this thread and it runs deep. Our Jamon > templating (last updated in 2013 and before that, in 2011) engine doesn't > seem to have sanitizing means either and there seems to be outstanding XSS > complaint against jamon that goes unaddressed. > Could pull in something like > https://www.owasp.org/index.php/OWASP_Java_Encoder_Project and run all > emissions via it or get a templating engine that has sanitizing built in. -- This message was sent by Atlassian JIRA (v6.3.4#6332)