[
https://issues.apache.org/jira/browse/KAFKA-7759?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16725447#comment-16725447
]
ASF GitHub Bot commented on KAFKA-7759:
---------------------------------------
avocader opened a new pull request #6051: KAFKA-7759: Disable WADL output on
OPTIONS method in Connect REST.
URL: https://github.com/apache/kafka/pull/6051
Currently, Connect REST endpoint replies to OPTIONS request with verbose
WADL information, which could be used for an attack. This was never documented
or intended to expose. More discussion is [here]
(https://lists.apache.org/thread.html/84eb4538397ae4544d20c072c936d9a31f22f429a0891cbb7d8e2296@%3Cdev.kafka.apache.org%3E)
Added unit tests in RestServerTest, which asserts that calling `OPTIONS` on
`/connectors` replies with a list of supported HTTP methods, with no WADL
information.
### Committer Checklist (excluded from commit message)
- [ ] Verify design and implementation
- [ ] Verify test coverage and CI build status
- [ ] Verify documentation (including upgrade notes)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Disable WADL output on OPTIONS method in Connect REST
> -----------------------------------------------------
>
> Key: KAFKA-7759
> URL: https://issues.apache.org/jira/browse/KAFKA-7759
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 2.1.0
> Reporter: Oleksandr Diachenko
> Assignee: Oleksandr Diachenko
> Priority: Major
> Fix For: 2.2.0
>
>
> Currently, Connect REST API exposes WADL output on OPTIONS method:
> {code}
> curl -i -X OPTIONS http://localhost:8083/connectors
> HTTP/1.1 200 OK
> Date: Fri, 07 Dec 2018 22:51:53 GMT
> Content-Type: application/vnd.sun.wadl+xml
> Allow: HEAD,POST,GET,OPTIONS
> Last-Modified: Fri, 07 Dec 2018 14:51:53 PST
> Content-Length: 1331
> Server: Jetty(9.4.12.v20180830)
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <application xmlns="http://wadl.dev.java.net/2009/02";>
> <doc xmlns:jersey="http://jersey.java.net/"; jersey:generatedBy="Jersey: 2.27
> 2018-04-10 07:34:57"/>
> <grammars>
> <include href="http://localhost:8083/application.wadl/xsd0.xsd";>
> <doc title="Generated" xml:lang="en"/>
> </include>
> </grammars>
> <resources base="http://localhost:8083/";>
> <resource path="connectors">
> <method id="createConnector" name="POST">
> <request>
> <param xmlns:xs="http://www.w3.org/2001/XMLSchema"; name="forward"
> style="query" type="xs:boolean"/>
> <representation mediaType="application/json"/>
> </request>
> <response>
> <representation mediaType="application/json"/>
> </response>
> </method>
> <method id="listConnectors" name="GET">
> <request>
> <param xmlns:xs="http://www.w3.org/2001/XMLSchema"; name="forward"
> style="query" type="xs:boolean"/>
> </request>
> <response>
> <representation mediaType="application/json"/>
> </response>
> </method>
> </resource>
> </resources>
> </application>
> {code}
> It was never documented and poses potential security vulnerability, so it
> should be disabled.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
