You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Andrew Shahan (JIRA)" <ji...@apache.org> on 2017/11/07 21:49:00 UTC
[jira] [Updated] (MESOS-8182) Mesos endpoint handler allows for
non-existent paths to resolve
[ https://issues.apache.org/jira/browse/MESOS-8182?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Shahan updated MESOS-8182:
---------------------------------
Description:
I stumbled on something interesting and I want to make sure there is not a security implication. I can append anything to `/mesos/*/` endpoints and still have them resolve. The Mesos team suggested that this is something that should be addressed.
To reproduce:
1. Spin up a Mesos cluster, any environment is fine as this is a web UI issue.
2. Append `/mesos/slaves/<any string you want including /, and .>` to your Mesos master's address in the browser and it still resolves `/mesos/slaves`. The same applies to anything after `/mesos/state` and I would assume all the other Mesos endpoints following this URL pattern.
Example URLs that resolve when they probably should not:
https://<master-ip>/mesos/state/1/2/3/4/5/6/7/8/9
or https://<master-ip>/mesos/slaves/1/2/3/thisresolves/whenIt/should/not
Benno Evers from the Mesos team let me know this behavior is due to this section of code https://github.com/apache/mesos/blob/master/3rdparty/libprocess/src/process.cpp#L3953
Thanks and let me know if you need anything else from me.
was:
I stumbled on something interesting and I want to make sure there is not a security implication. I can append anything to `/mesos/*/` endpoints and still have them resolve. The Mesos team suggested that this is something that should be addressed.
To reproduce:
1. Spin up a Mesos cluster, any environment is fine as this is a web UI issue.
2. Append `/mesos/slaves/<any string you want including /, and .>` to your Mesos master's address in the browser and it still resolves `/mesos/slaves`. The same applies to anything after `/mesos/state` and I would assume all the other Mesos endpoints following this URL pattern.
Example URLs that resolve when they probably should not:
https://<master-ip>/mesos/state/1/2/3/4/5/6/7/8/9
or https://<master-ip>/mesos/slaves/1/2/3/thisresolves/whenIt/should/not
Benno Evers from the Mesos team let me know this behavior is due to this section of code https://github.com/apache/mesos/blob/master/3rdparty/libprocess/src/process.cpp#L3966
Thanks and let me know if you need anything else from me.
> Mesos endpoint handler allows for non-existent paths to resolve
> ---------------------------------------------------------------
>
> Key: MESOS-8182
> URL: https://issues.apache.org/jira/browse/MESOS-8182
> Project: Mesos
> Issue Type: Bug
> Components: webui
> Affects Versions: 1.3.1, 1.4.0
> Reporter: Andrew Shahan
> Priority: Minor
>
> I stumbled on something interesting and I want to make sure there is not a security implication. I can append anything to `/mesos/*/` endpoints and still have them resolve. The Mesos team suggested that this is something that should be addressed.
> To reproduce:
> 1. Spin up a Mesos cluster, any environment is fine as this is a web UI issue.
> 2. Append `/mesos/slaves/<any string you want including /, and .>` to your Mesos master's address in the browser and it still resolves `/mesos/slaves`. The same applies to anything after `/mesos/state` and I would assume all the other Mesos endpoints following this URL pattern.
> Example URLs that resolve when they probably should not:
> https://<master-ip>/mesos/state/1/2/3/4/5/6/7/8/9
> or https://<master-ip>/mesos/slaves/1/2/3/thisresolves/whenIt/should/not
> Benno Evers from the Mesos team let me know this behavior is due to this section of code https://github.com/apache/mesos/blob/master/3rdparty/libprocess/src/process.cpp#L3953
> Thanks and let me know if you need anything else from me.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)