[jira] [Commented] (SENTRY-2120) cross-site scripting vulnerability in LogLevelServlet
[
https://issues.apache.org/jira/browse/SENTRY-2120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16319568#comment-16319568
]
Hadoop QA commented on SENTRY-2120:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12905360/SENTRY-2120.001.patch
against master.
{color:red}Overall:{color} -1 due to 2 errors
{color:red}ERROR:{color} mvn test exited 1
{color:red}ERROR:{color} Failed:
org.apache.sentry.tests.e2e.metastore.TestAuthorizingObjectStore
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/3615/console
This message is automatically generated.
> cross-site scripting vulnerability in LogLevelServlet
> -
>
> Key: SENTRY-2120
> URL: https://issues.apache.org/jira/browse/SENTRY-2120
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
>Affects Versions: 2.0.0, 2.1.0
>Reporter: Na Li
>Assignee: Na Li
> Labels: Fortify-Critical
> Attachments: SENTRY-2120.001.patch
>
>
> LogLevelServlet.java has the following code
> {code}
> public void doGet(HttpServletRequest request, HttpServletResponse response)
> throws ServletException, IOException {
> String logName = getParameter(request, "log");
> String level = getParameter(request, "level");
> response.setContentType("text/html;charset=utf-8");
> response.setStatus(HttpServletResponse.SC_OK);
> PrintWriter out = response.getWriter();
> if (logName != null) {
> Logger logInstance = LogManager.getLogger(logName);
> if (level == null) {
> out.write(String.format(FORMS_GET,
> escapeHtml(logName),
> logInstance.getEffectiveLevel().toString()));
> } else if (isLogLevelValid(level)) {
> logInstance.setLevel(Level.toLevel(level));
> out.write(String.format(FORMS_SET,
> escapeHtml(logName),
> level,
> level,
> logInstance.getEffectiveLevel().toString()));
> } else {
> response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log
> level: " + level);
> return;
> }
> }
> out.write(FORMS_END);
> out.close();
> response.flushBuffer();
> }
> {code}
> As a result HTTP parameter is directly written to Servlet error page. Echoing
> this untrusted input allows for a reflected cross site scripting
> vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more
> information.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Commented] (SENTRY-1819) HMSFollower and friends do not belong in sentry.service.thrift
[
https://issues.apache.org/jira/browse/SENTRY-1819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16319438#comment-16319438
]
Hadoop QA commented on SENTRY-1819:
---
Here are the results of testing the latest attachment
https://issues.apache.org/jira/secure/attachment/12905339/SENTRY-1819.004.patch
against master.
{color:green}Overall:{color} +1 all checks pass
{color:green}SUCCESS:{color} all tests passed
Console output:
https://builds.apache.org/job/PreCommit-SENTRY-Build/3614/console
This message is automatically generated.
> HMSFollower and friends do not belong in sentry.service.thrift
> --
>
> Key: SENTRY-1819
> URL: https://issues.apache.org/jira/browse/SENTRY-1819
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
>Affects Versions: 2.0.0
>Reporter: Alexander Kolbasov
>Assignee: Xinran Tinney
>Priority: Minor
> Fix For: 2.1.0
>
> Attachments: SENTRY-1819.002.patch, SENTRY-1819.004.patch
>
>
> We have several important classes - e.g. HMSFollower, NotificationProcessor,
> CounterWait, LeaderStatusMonitor in the {{sentry.service.thrift}} package
> which is weird - they should be in {{provider.db.service.persistent}} instead.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Updated] (SENTRY-2120) cross-site scripting vulnerability in LogLevelServlet
[
https://issues.apache.org/jira/browse/SENTRY-2120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Na Li updated SENTRY-2120:
--
Labels: Fortify-Critical (was: )
> cross-site scripting vulnerability in LogLevelServlet
> -
>
> Key: SENTRY-2120
> URL: https://issues.apache.org/jira/browse/SENTRY-2120
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
>Affects Versions: 2.0.0, 2.1.0
>Reporter: Na Li
>Assignee: Na Li
> Labels: Fortify-Critical
> Attachments: SENTRY-2120.001.patch
>
>
> LogLevelServlet.java has the following code
> {code}
> public void doGet(HttpServletRequest request, HttpServletResponse response)
> throws ServletException, IOException {
> String logName = getParameter(request, "log");
> String level = getParameter(request, "level");
> response.setContentType("text/html;charset=utf-8");
> response.setStatus(HttpServletResponse.SC_OK);
> PrintWriter out = response.getWriter();
> if (logName != null) {
> Logger logInstance = LogManager.getLogger(logName);
> if (level == null) {
> out.write(String.format(FORMS_GET,
> escapeHtml(logName),
> logInstance.getEffectiveLevel().toString()));
> } else if (isLogLevelValid(level)) {
> logInstance.setLevel(Level.toLevel(level));
> out.write(String.format(FORMS_SET,
> escapeHtml(logName),
> level,
> level,
> logInstance.getEffectiveLevel().toString()));
> } else {
> response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log
> level: " + level);
> return;
> }
> }
> out.write(FORMS_END);
> out.close();
> response.flushBuffer();
> }
> {code}
> As a result HTTP parameter is directly written to Servlet error page. Echoing
> this untrusted input allows for a reflected cross site scripting
> vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more
> information.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Updated] (SENTRY-2120) cross-site scripting vulnerability in LogLevelServlet
[
https://issues.apache.org/jira/browse/SENTRY-2120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Na Li updated SENTRY-2120:
--
Attachment: SENTRY-2120.001.patch
> cross-site scripting vulnerability in LogLevelServlet
> -
>
> Key: SENTRY-2120
> URL: https://issues.apache.org/jira/browse/SENTRY-2120
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
>Affects Versions: 2.0.0, 2.1.0
>Reporter: Na Li
>Assignee: Na Li
> Attachments: SENTRY-2120.001.patch
>
>
> LogLevelServlet.java has the following code
> {code}
> public void doGet(HttpServletRequest request, HttpServletResponse response)
> throws ServletException, IOException {
> String logName = getParameter(request, "log");
> String level = getParameter(request, "level");
> response.setContentType("text/html;charset=utf-8");
> response.setStatus(HttpServletResponse.SC_OK);
> PrintWriter out = response.getWriter();
> if (logName != null) {
> Logger logInstance = LogManager.getLogger(logName);
> if (level == null) {
> out.write(String.format(FORMS_GET,
> escapeHtml(logName),
> logInstance.getEffectiveLevel().toString()));
> } else if (isLogLevelValid(level)) {
> logInstance.setLevel(Level.toLevel(level));
> out.write(String.format(FORMS_SET,
> escapeHtml(logName),
> level,
> level,
> logInstance.getEffectiveLevel().toString()));
> } else {
> response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log
> level: " + level);
> return;
> }
> }
> out.write(FORMS_END);
> out.close();
> response.flushBuffer();
> }
> {code}
> As a result HTTP parameter is directly written to Servlet error page. Echoing
> this untrusted input allows for a reflected cross site scripting
> vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more
> information.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Updated] (SENTRY-2120) cross-site scripting vulnerability in LogLevelServlet
[
https://issues.apache.org/jira/browse/SENTRY-2120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Na Li updated SENTRY-2120:
--
Status: Patch Available (was: Open)
> cross-site scripting vulnerability in LogLevelServlet
> -
>
> Key: SENTRY-2120
> URL: https://issues.apache.org/jira/browse/SENTRY-2120
> Project: Sentry
> Issue Type: Bug
> Components: Sentry
>Affects Versions: 2.0.0, 2.1.0
>Reporter: Na Li
>Assignee: Na Li
> Attachments: SENTRY-2120.001.patch
>
>
> LogLevelServlet.java has the following code
> {code}
> public void doGet(HttpServletRequest request, HttpServletResponse response)
> throws ServletException, IOException {
> String logName = getParameter(request, "log");
> String level = getParameter(request, "level");
> response.setContentType("text/html;charset=utf-8");
> response.setStatus(HttpServletResponse.SC_OK);
> PrintWriter out = response.getWriter();
> if (logName != null) {
> Logger logInstance = LogManager.getLogger(logName);
> if (level == null) {
> out.write(String.format(FORMS_GET,
> escapeHtml(logName),
> logInstance.getEffectiveLevel().toString()));
> } else if (isLogLevelValid(level)) {
> logInstance.setLevel(Level.toLevel(level));
> out.write(String.format(FORMS_SET,
> escapeHtml(logName),
> level,
> level,
> logInstance.getEffectiveLevel().toString()));
> } else {
> response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log
> level: " + level);
> return;
> }
> }
> out.write(FORMS_END);
> out.close();
> response.flushBuffer();
> }
> {code}
> As a result HTTP parameter is directly written to Servlet error page. Echoing
> this untrusted input allows for a reflected cross site scripting
> vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more
> information.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Created] (SENTRY-2120) cross-site scripting vulnerability in LogLevelServlet
Na Li created SENTRY-2120:
-
Summary: cross-site scripting vulnerability in LogLevelServlet
Key: SENTRY-2120
URL: https://issues.apache.org/jira/browse/SENTRY-2120
Project: Sentry
Issue Type: Bug
Components: Sentry
Affects Versions: 2.0.0, 2.1.0
Reporter: Na Li
Assignee: Na Li
LogLevelServlet.java has the following code
{code}
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException {
String logName = getParameter(request, "log");
String level = getParameter(request, "level");
response.setContentType("text/html;charset=utf-8");
response.setStatus(HttpServletResponse.SC_OK);
PrintWriter out = response.getWriter();
if (logName != null) {
Logger logInstance = LogManager.getLogger(logName);
if (level == null) {
out.write(String.format(FORMS_GET,
escapeHtml(logName),
logInstance.getEffectiveLevel().toString()));
} else if (isLogLevelValid(level)) {
logInstance.setLevel(Level.toLevel(level));
out.write(String.format(FORMS_SET,
escapeHtml(logName),
level,
level,
logInstance.getEffectiveLevel().toString()));
} else {
response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log
level: " + level);
return;
}
}
out.write(FORMS_END);
out.close();
response.flushBuffer();
}
{code}
As a result HTTP parameter is directly written to Servlet error page. Echoing
this untrusted input allows for a reflected cross site scripting vulnerability.
See http://en.wikipedia.org/wiki/Cross-site_scripting for more information.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
[jira] [Resolved] (SENTRY-2118) Document Configuration required to make Column authentication work
[ https://issues.apache.org/jira/browse/SENTRY-2118?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Na Li resolved SENTRY-2118. --- Resolution: Fixed The description is at https://cwiki.apache.org/confluence/display/SENTRY/Sentry+Column+Access+Control+Configuration > Document Configuration required to make Column authentication work > -- > > Key: SENTRY-2118 > URL: https://issues.apache.org/jira/browse/SENTRY-2118 > Project: Sentry > Issue Type: Task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Na Li >Assignee: Na Li > > Sentry 2.0 and above is working with newer Hive version, and the > configuration > HiveConf.HIVE_STATS_COLLECT_SCANCOLS must be set true in order for Hive to > set column info into input for sentry. > Without this setting, authorization for column is broken. > We need to document this info. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (SENTRY-2119) HMSFollower may not fetch HMS notifications which are out of order
[ https://issues.apache.org/jira/browse/SENTRY-2119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16318710#comment-16318710 ] kalyan kumar kalvagadda commented on SENTRY-2119: - [~spena][~arjunmishra13][~lina.li] FYI > HMSFollower may not fetch HMS notifications which are out of order > -- > > Key: SENTRY-2119 > URL: https://issues.apache.org/jira/browse/SENTRY-2119 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.1.0 >Reporter: kalyan kumar kalvagadda >Assignee: kalyan kumar kalvagadda > > With the current implementation of HMS and HMS-HA notifications inserted in > NOTIFICATION_LOG table can be out of order. That means, notifications with > smaller event-id's can be inserted into the table later and there is not > clear understanding on on the time difference between them. > When this happens HMSFollower will not be able to fetch these notifications. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
