You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Sean Mackrory (JIRA)" <ji...@apache.org> on 2016/06/02 20:29:59 UTC

[jira] [Updated] (HBASE-15946) Eliminate possible security concerns in RS web UI's store file metrics

     [ https://issues.apache.org/jira/browse/HBASE-15946?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sean Mackrory updated HBASE-15946:
----------------------------------
    Attachment: HBASE-15946-v1.patch

I want to do a bit more testing on this patch and clean up a few things, but here's the basic idea.

This adds a couple of things to the public interface of HFilePrettyPrinter to make it usable directly from storeFile.jsp. It also validates that the file is in HBase's root dir, which brings with it some caveats I want to make sure are safe:
* It can be a fully qualified URL (e.g. hdfs://namenode:8020/hbase), relative to the filesystem in hbase.rootdir or fs.defaultFS. This is how the RS Web UI will pass it in. If we need to tolerate different hostnames or addresses that would resolve to the same filesystem, this validation needs to get a lot more complex.
* It can be an absolute path in the same filesystem. This makes more sense for CLI usage.
* It can't be a relative URL. I can't think of how this could reasonably end up  getting provided. If it would be relative to the the hbase rootdir, we can easily verify that the file is there. If it would be relative to something else, that would need to be handled.

Also need to be careful here about cases where /hbase is the root but /hbaseXYZ exists, since I'm just appending strings and checking that the beginning is the same. If the relative path XYZ was provided, the string would indeed begin with HBase root.



> Eliminate possible security concerns in RS web UI's store file metrics
> ----------------------------------------------------------------------
>
>                 Key: HBASE-15946
>                 URL: https://issues.apache.org/jira/browse/HBASE-15946
>             Project: HBase
>          Issue Type: Bug
>            Reporter: Sean Mackrory
>            Assignee: Mikhail Antonov
>         Attachments: HBASE-15946-v1.patch
>
>
> More from static code analysis: it warns about the invoking of a separate command ("hbase hfile -s -f ...") as a possible security issue in hbase-server/src/main/resources/hbase-webapps/regionserver/storeFile.jsp.
> It looks to me like one cannot inject arbitrary shell script or even arbitrary arguments: ProcessBuilder makes that fairly safe and only allows the user to specify the argument that comes after -f. However that does potentially allow them to have the daemon's user access files they shouldn't be able to touch, albeit only for reading.
> To more explicitly eliminate any threats here, we should add some validation that the file is at least within HBase's root directory and use the Java API directly instead of invoking a separate executable.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)