[jira] [Commented] (SENTRY-2120) cross-site scripting vulnerability in LogLevelServlet
[ https://issues.apache.org/jira/browse/SENTRY-2120?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16319568#comment-16319568 ] Hadoop QA commented on SENTRY-2120: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12905360/SENTRY-2120.001.patch against master. {color:red}Overall:{color} -1 due to 2 errors {color:red}ERROR:{color} mvn test exited 1 {color:red}ERROR:{color} Failed: org.apache.sentry.tests.e2e.metastore.TestAuthorizingObjectStore Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/3615/console This message is automatically generated. > cross-site scripting vulnerability in LogLevelServlet > - > > Key: SENTRY-2120 > URL: https://issues.apache.org/jira/browse/SENTRY-2120 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.0.0, 2.1.0 >Reporter: Na Li >Assignee: Na Li > Labels: Fortify-Critical > Attachments: SENTRY-2120.001.patch > > > LogLevelServlet.java has the following code > {code} > public void doGet(HttpServletRequest request, HttpServletResponse response) > throws ServletException, IOException { > String logName = getParameter(request, "log"); > String level = getParameter(request, "level"); > response.setContentType("text/html;charset=utf-8"); > response.setStatus(HttpServletResponse.SC_OK); > PrintWriter out = response.getWriter(); > if (logName != null) { > Logger logInstance = LogManager.getLogger(logName); > if (level == null) { > out.write(String.format(FORMS_GET, > escapeHtml(logName), > logInstance.getEffectiveLevel().toString())); > } else if (isLogLevelValid(level)) { > logInstance.setLevel(Level.toLevel(level)); > out.write(String.format(FORMS_SET, > escapeHtml(logName), > level, > level, > logInstance.getEffectiveLevel().toString())); > } else { > response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log > level: " + level); > return; > } > } > out.write(FORMS_END); > out.close(); > response.flushBuffer(); > } > {code} > As a result HTTP parameter is directly written to Servlet error page. Echoing > this untrusted input allows for a reflected cross site scripting > vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more > information. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (SENTRY-1819) HMSFollower and friends do not belong in sentry.service.thrift
[ https://issues.apache.org/jira/browse/SENTRY-1819?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16319438#comment-16319438 ] Hadoop QA commented on SENTRY-1819: --- Here are the results of testing the latest attachment https://issues.apache.org/jira/secure/attachment/12905339/SENTRY-1819.004.patch against master. {color:green}Overall:{color} +1 all checks pass {color:green}SUCCESS:{color} all tests passed Console output: https://builds.apache.org/job/PreCommit-SENTRY-Build/3614/console This message is automatically generated. > HMSFollower and friends do not belong in sentry.service.thrift > -- > > Key: SENTRY-1819 > URL: https://issues.apache.org/jira/browse/SENTRY-1819 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.0.0 >Reporter: Alexander Kolbasov >Assignee: Xinran Tinney >Priority: Minor > Fix For: 2.1.0 > > Attachments: SENTRY-1819.002.patch, SENTRY-1819.004.patch > > > We have several important classes - e.g. HMSFollower, NotificationProcessor, > CounterWait, LeaderStatusMonitor in the {{sentry.service.thrift}} package > which is weird - they should be in {{provider.db.service.persistent}} instead. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (SENTRY-2120) cross-site scripting vulnerability in LogLevelServlet
[ https://issues.apache.org/jira/browse/SENTRY-2120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Na Li updated SENTRY-2120: -- Labels: Fortify-Critical (was: ) > cross-site scripting vulnerability in LogLevelServlet > - > > Key: SENTRY-2120 > URL: https://issues.apache.org/jira/browse/SENTRY-2120 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.0.0, 2.1.0 >Reporter: Na Li >Assignee: Na Li > Labels: Fortify-Critical > Attachments: SENTRY-2120.001.patch > > > LogLevelServlet.java has the following code > {code} > public void doGet(HttpServletRequest request, HttpServletResponse response) > throws ServletException, IOException { > String logName = getParameter(request, "log"); > String level = getParameter(request, "level"); > response.setContentType("text/html;charset=utf-8"); > response.setStatus(HttpServletResponse.SC_OK); > PrintWriter out = response.getWriter(); > if (logName != null) { > Logger logInstance = LogManager.getLogger(logName); > if (level == null) { > out.write(String.format(FORMS_GET, > escapeHtml(logName), > logInstance.getEffectiveLevel().toString())); > } else if (isLogLevelValid(level)) { > logInstance.setLevel(Level.toLevel(level)); > out.write(String.format(FORMS_SET, > escapeHtml(logName), > level, > level, > logInstance.getEffectiveLevel().toString())); > } else { > response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log > level: " + level); > return; > } > } > out.write(FORMS_END); > out.close(); > response.flushBuffer(); > } > {code} > As a result HTTP parameter is directly written to Servlet error page. Echoing > this untrusted input allows for a reflected cross site scripting > vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more > information. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (SENTRY-2120) cross-site scripting vulnerability in LogLevelServlet
[ https://issues.apache.org/jira/browse/SENTRY-2120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Na Li updated SENTRY-2120: -- Attachment: SENTRY-2120.001.patch > cross-site scripting vulnerability in LogLevelServlet > - > > Key: SENTRY-2120 > URL: https://issues.apache.org/jira/browse/SENTRY-2120 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.0.0, 2.1.0 >Reporter: Na Li >Assignee: Na Li > Attachments: SENTRY-2120.001.patch > > > LogLevelServlet.java has the following code > {code} > public void doGet(HttpServletRequest request, HttpServletResponse response) > throws ServletException, IOException { > String logName = getParameter(request, "log"); > String level = getParameter(request, "level"); > response.setContentType("text/html;charset=utf-8"); > response.setStatus(HttpServletResponse.SC_OK); > PrintWriter out = response.getWriter(); > if (logName != null) { > Logger logInstance = LogManager.getLogger(logName); > if (level == null) { > out.write(String.format(FORMS_GET, > escapeHtml(logName), > logInstance.getEffectiveLevel().toString())); > } else if (isLogLevelValid(level)) { > logInstance.setLevel(Level.toLevel(level)); > out.write(String.format(FORMS_SET, > escapeHtml(logName), > level, > level, > logInstance.getEffectiveLevel().toString())); > } else { > response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log > level: " + level); > return; > } > } > out.write(FORMS_END); > out.close(); > response.flushBuffer(); > } > {code} > As a result HTTP parameter is directly written to Servlet error page. Echoing > this untrusted input allows for a reflected cross site scripting > vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more > information. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (SENTRY-2120) cross-site scripting vulnerability in LogLevelServlet
[ https://issues.apache.org/jira/browse/SENTRY-2120?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Na Li updated SENTRY-2120: -- Status: Patch Available (was: Open) > cross-site scripting vulnerability in LogLevelServlet > - > > Key: SENTRY-2120 > URL: https://issues.apache.org/jira/browse/SENTRY-2120 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.0.0, 2.1.0 >Reporter: Na Li >Assignee: Na Li > Attachments: SENTRY-2120.001.patch > > > LogLevelServlet.java has the following code > {code} > public void doGet(HttpServletRequest request, HttpServletResponse response) > throws ServletException, IOException { > String logName = getParameter(request, "log"); > String level = getParameter(request, "level"); > response.setContentType("text/html;charset=utf-8"); > response.setStatus(HttpServletResponse.SC_OK); > PrintWriter out = response.getWriter(); > if (logName != null) { > Logger logInstance = LogManager.getLogger(logName); > if (level == null) { > out.write(String.format(FORMS_GET, > escapeHtml(logName), > logInstance.getEffectiveLevel().toString())); > } else if (isLogLevelValid(level)) { > logInstance.setLevel(Level.toLevel(level)); > out.write(String.format(FORMS_SET, > escapeHtml(logName), > level, > level, > logInstance.getEffectiveLevel().toString())); > } else { > response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log > level: " + level); > return; > } > } > out.write(FORMS_END); > out.close(); > response.flushBuffer(); > } > {code} > As a result HTTP parameter is directly written to Servlet error page. Echoing > this untrusted input allows for a reflected cross site scripting > vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more > information. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (SENTRY-2120) cross-site scripting vulnerability in LogLevelServlet
Na Li created SENTRY-2120: - Summary: cross-site scripting vulnerability in LogLevelServlet Key: SENTRY-2120 URL: https://issues.apache.org/jira/browse/SENTRY-2120 Project: Sentry Issue Type: Bug Components: Sentry Affects Versions: 2.0.0, 2.1.0 Reporter: Na Li Assignee: Na Li LogLevelServlet.java has the following code {code} public void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { String logName = getParameter(request, "log"); String level = getParameter(request, "level"); response.setContentType("text/html;charset=utf-8"); response.setStatus(HttpServletResponse.SC_OK); PrintWriter out = response.getWriter(); if (logName != null) { Logger logInstance = LogManager.getLogger(logName); if (level == null) { out.write(String.format(FORMS_GET, escapeHtml(logName), logInstance.getEffectiveLevel().toString())); } else if (isLogLevelValid(level)) { logInstance.setLevel(Level.toLevel(level)); out.write(String.format(FORMS_SET, escapeHtml(logName), level, level, logInstance.getEffectiveLevel().toString())); } else { response.sendError(HttpServletResponse.SC_BAD_REQUEST, "Invalid log level: " + level); return; } } out.write(FORMS_END); out.close(); response.flushBuffer(); } {code} As a result HTTP parameter is directly written to Servlet error page. Echoing this untrusted input allows for a reflected cross site scripting vulnerability. See http://en.wikipedia.org/wiki/Cross-site_scripting for more information. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Resolved] (SENTRY-2118) Document Configuration required to make Column authentication work
[ https://issues.apache.org/jira/browse/SENTRY-2118?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Na Li resolved SENTRY-2118. --- Resolution: Fixed The description is at https://cwiki.apache.org/confluence/display/SENTRY/Sentry+Column+Access+Control+Configuration > Document Configuration required to make Column authentication work > -- > > Key: SENTRY-2118 > URL: https://issues.apache.org/jira/browse/SENTRY-2118 > Project: Sentry > Issue Type: Task > Components: Sentry >Affects Versions: 2.1.0 >Reporter: Na Li >Assignee: Na Li > > Sentry 2.0 and above is working with newer Hive version, and the > configuration > HiveConf.HIVE_STATS_COLLECT_SCANCOLS must be set true in order for Hive to > set column info into input for sentry. > Without this setting, authorization for column is broken. > We need to document this info. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (SENTRY-2119) HMSFollower may not fetch HMS notifications which are out of order
[ https://issues.apache.org/jira/browse/SENTRY-2119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16318710#comment-16318710 ] kalyan kumar kalvagadda commented on SENTRY-2119: - [~spena][~arjunmishra13][~lina.li] FYI > HMSFollower may not fetch HMS notifications which are out of order > -- > > Key: SENTRY-2119 > URL: https://issues.apache.org/jira/browse/SENTRY-2119 > Project: Sentry > Issue Type: Bug > Components: Sentry >Affects Versions: 2.1.0 >Reporter: kalyan kumar kalvagadda >Assignee: kalyan kumar kalvagadda > > With the current implementation of HMS and HMS-HA notifications inserted in > NOTIFICATION_LOG table can be out of order. That means, notifications with > smaller event-id's can be inserted into the table later and there is not > clear understanding on on the time difference between them. > When this happens HMSFollower will not be able to fetch these notifications. -- This message was sent by Atlassian JIRA (v6.4.14#64029)