You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zeppelin.apache.org by pr...@apache.org on 2017/08/16 00:21:54 UTC

[2/7] zeppelin git commit: [ZEPPELIN-2461] Masking Jetty Server version with User-configurable parameter

[ZEPPELIN-2461] Masking Jetty Server version with User-configurable parameter

### What is this PR for?
Security conscious organisations does not want to reveal the Application Server name and version to prevent Script-kiddies from finding the information easily when fingerprinting the Application. The exact version number can tell an Attacker if the current Application Server is patched for or vulnerable to certain publicly known CVE associated to it.

### What type of PR is it?
[Improvement | Feature]

### What is the Jira issue?
* [ZEPPELIN-2461](https://issues.apache.org/jira/browse/ZEPPELIN-2461)

### How should this be tested?
Providing a value in zeppelin-site.xml will replace the actual Jetty server version found in HTTP Header with provided value. E.g.
 - edit zeppelin-site.xml and add a property `zeppelin.server.jetty.name` and with value say `TOMCAT`
 - restart the server
 - open the app in browser then observe the Response Headers for the key "Server"  this should now reflect "TOMCAT"

### Screenshots (if appropriate)

### Questions:
* Does the licenses files need update? N/A
* Is there breaking changes for older versions? N/A
* Does this needs documentation? N/A

Author: krishna-pandey <kr...@gmail.com>

Closes #2293 from krishna-pandey/ZEPPELIN-2461 and squashes the following commits:

b071f7ad0 [krishna-pandey] Set App Server name to config value


Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/5ead465e
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/5ead465e
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/5ead465e

Branch: refs/heads/branch-0.7
Commit: 5ead465e5e7d5226128c5e46517463aeabc17370
Parents: 556a211
Author: krishna-pandey <kr...@gmail.com>
Authored: Thu Apr 27 16:14:33 2017 +0530
Committer: Prabhjyot Singh <pr...@gmail.com>
Committed: Tue Aug 15 11:07:59 2017 -0700

----------------------------------------------------------------------
 conf/zeppelin-site.xml.template                              | 8 ++++++++
 .../main/java/org/apache/zeppelin/server/ZeppelinServer.java | 3 +++
 .../java/org/apache/zeppelin/conf/ZeppelinConfiguration.java | 7 ++++++-
 3 files changed, 17 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/zeppelin/blob/5ead465e/conf/zeppelin-site.xml.template
----------------------------------------------------------------------
diff --git a/conf/zeppelin-site.xml.template b/conf/zeppelin-site.xml.template
index 620f2be..85341c3 100755
--- a/conf/zeppelin-site.xml.template
+++ b/conf/zeppelin-site.xml.template
@@ -328,4 +328,12 @@
   <description>Enable directory listings on server.</description>
 </property>
 
+<!--
+<property>
+    <name>zeppelin.server.jetty.name</name>
+    <value>Jetty(7.6.0.v20120127)</value>
+    <description>Hardcoding Application Server name to Prevent Fingerprinting</description>
+</property>
+-->
+
 </configuration>

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/5ead465e/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
index abce92f..fdd2530 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
@@ -187,6 +187,9 @@ public class ZeppelinServer extends Application {
     LOG.info("Starting zeppelin server");
     try {
       jettyWebServer.start(); //Instantiates ZeppelinServer
+      if (conf.getJettyName() != null) {
+        org.eclipse.jetty.http.HttpGenerator.setJettyVersion(conf.getJettyName());
+      }
     } catch (Exception e) {
       LOG.error("Error while running jettyServer", e);
       System.exit(-1);

http://git-wip-us.apache.org/repos/asf/zeppelin/blob/5ead465e/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
----------------------------------------------------------------------
diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
index cf2832f..97ad60d 100644
--- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
+++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
@@ -475,6 +475,10 @@ public class ZeppelinConfiguration extends XMLConfiguration {
     return getString(ConfVars.ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE);
   }
 
+  public String getJettyName() {
+    return getString(ConfVars.ZEPPELIN_SERVER_JETTY_NAME);
+  }
+
   public Map<String, String> dumpConfigurations(ZeppelinConfiguration conf,
                                                 ConfigurationKeyPredicate predicate) {
     Map<String, String> configurations = new HashMap<>();
@@ -617,7 +621,8 @@ public class ZeppelinConfiguration extends XMLConfiguration {
     ZEPPELIN_ANONYMOUS_ALLOWED("zeppelin.anonymous.allowed", true),
     ZEPPELIN_CREDENTIALS_PERSIST("zeppelin.credentials.persist", true),
     ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE("zeppelin.websocket.max.text.message.size", "1024000"),
-    ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false);
+    ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false),
+    ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", null);
 
     private String varName;
     @SuppressWarnings("rawtypes")