[
https://issues.apache.org/jira/browse/ACCUMULO-4677?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16265856#comment-16265856
]
Kyle Van Gilson commented on ACCUMULO-4677:
-------------------------------------------
There has been a lot of discussion/comments on this ticket over on github. The
condensed version is that some underlying dependencies and code was changed
between the initial opening of the PR etc. The PR now successfully builds via
Travis but there are 2 things I wanted to highlight.
1. I found a separate bug in the monitor table hyperlinks present on the master
branch (nothing to do with this ticket / PR). The links in the
http://localhost:9995/tables/ display page are all linked as
http://localhost:9995/tables/[object%20Object] I will open a separate ticket
for this but it looks like the issue may be somewhere in the javascript section
of the monitor resources and I'm not familiar with that code to be able to fix
it.
2. Invoking the links (when corrected by hand to the tableId) does the endpoint
validation correctly but the response messages probably need to be "pretty'd"
up a bit.
3. There are dependency mismatches between the versions of Jetty and Jersey
being used; 9.3.21.v20170918 and 2.25.1 respectively. Parts of Jersey 2.25.1
carries a dependency on jetty 9.2.14.v20151106 according to Maven central. The
version of Jersey which finally moves to a more recent version is 2.26-b04 (and
up) which jumps to jetty 9.4.3.v20170317; it completely skips the 9.3.x series.
This doesn't seem to cause an issue at runtime but if there is a move to
jersey 2.26 in the future it doesn't look to be backwards compatible with the
older version of jetty.
> Sanitize @PathParam and @QueryParam parameters in new REST-based monitor
> ------------------------------------------------------------------------
>
> Key: ACCUMULO-4677
> URL: https://issues.apache.org/jira/browse/ACCUMULO-4677
> Project: Accumulo
> Issue Type: Bug
> Components: monitor
> Reporter: Christopher Tubbs
> Assignee: Kyle Van Gilson
> Priority: Blocker
> Labels: pull-request-available
> Fix For: 2.0.0
>
> Time Spent: 6h 10m
> Remaining Estimate: 0h
>
> Following on the issue identified in ACCUMULO-4660, I verified that
> parameters to the REST-based monitor (ACCUMULO-3005) resources need
> sanitization as well.
> All {{@PathParam}} and {{@QueryParam}} annotated fields should be sanitized.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
