You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2020/09/11 23:35:48 UTC
[GitHub] [druid] a2l007 opened a new pull request #9832: Add option to toggle sending server version in response headers
a2l007 opened a new pull request #9832:
URL: https://github.com/apache/druid/pull/9832
<!-- Thanks for trying to help us make Apache Druid be the best it can be! Please fill out as much of the following information as is possible (where relevant, and remove it when irrelevant) to help make the intention and scope of this PR clear in order to ease review. -->
<!-- Replace XXXX with the id of the issue fixed in this PR. Remove this section if there is no corresponding issue. Don't reference the issue in the title of this pull-request. -->
<!-- If you are a committer, follow the PR action item checklist for committers:
https://github.com/apache/druid/blob/master/dev/committer-instructions.md#pr-and-issue-action-item-checklist-for-committers. -->
### Description
<!-- Describe the goal of this PR, what problem are you fixing. If there is a corresponding issue (referenced above), it's not necessary to repeat the description here, however, you may choose to keep one summary sentence. -->
This adds a new server configuration which can be used to toggle the jetty behavior of sending server version information as part of the response headers.
Presently, response headers from druid would look like this:
```
Content-Encoding | gzip
Content-Type | application/json
Date | Wed, 06 May 2020 15:36:16 GMT
Server | Jetty(9.4.10.v20180503)
Transfer-Encoding | chunked
Vary | Accept-Encoding, User-Agent
```
Visibility of server version in response headers as above can be seen as a security issue as it could potentially allow an attacker to use version specific exploits, once the server version is identified using banner grabbing or active reconnaissance techniques.
The new flag being introduced is `druid.server.http.sendServerVersion` and it is defaulted to `true` to preserve existing behavior.
<!-- Describe your patch: what did you change in code? How did you fix the problem? -->
<!-- If there are several relatively logically separate changes in this PR, create a mini-section for each of them. For example: -->
<!--
In each section, please describe design decisions made, including:
- Choice of algorithms
- Behavioral aspects. What configuration values are acceptable? How are corner cases and error conditions handled, such as when there are insufficient resources?
- Class organization and design (how the logic is split between classes, inheritance, composition, design patterns)
- Method organization and design (how the logic is split between methods, parameters and return types)
- Naming (class, method, API, configuration, HTTP endpoint, names of emitted metrics)
-->
<!-- It's good to describe an alternative design (or mention an alternative name) for every design (or naming) decision point and compare the alternatives with the designs that you've implemented (or the names you've chosen) to highlight the advantages of the chosen designs and names. -->
<!-- If there was a discussion of the design of the feature implemented in this PR elsewhere (e. g. a "Proposal" issue, any other issue, or a thread in the development mailing list), link to that discussion from this PR description and explain what have changed in your final design compared to your original proposal or the consensus version in the end of the discussion. If something hasn't changed since the original discussion, you can omit a detailed discussion of those aspects of the design here, perhaps apart from brief mentioning for the sake of readability of this PR description. -->
<!-- Some of the aspects mentioned above may be omitted for simple and small changes. -->
<hr>
This PR has:
- [x] been self-reviewed.
- [x] added documentation for new or modified features or behaviors.
- [x] added unit tests or modified existing tests to cover new code paths.
- [x] been tested in a test Druid cluster.
<!-- Check the items by putting "x" in the brackets for the done things. Not all of these items apply to every PR. Remove the items which are not done or not relevant to the PR. None of the items from the checklist above are strictly necessary, but it would be very helpful if you at least self-review the PR. -->
<hr>
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] a2l007 commented on pull request #9832: Disable sending server version in response headers
Posted by GitBox <gi...@apache.org>.
a2l007 commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-692057094
Yeah makes sense. I've removed the config and related changes.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] jihoonson commented on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
jihoonson commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-691354899
Sorry I completely forgot about this PR. I think @himanshug's last comment makes sense. We can simply remove the header and call out in the release notes.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] stale[bot] commented on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
stale[bot] commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-691354626
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] jihoonson commented on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
jihoonson commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-691354899
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
himanshug commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-691251093
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] a2l007 commented on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
a2l007 commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-639190879
> considering druid is open source, attacker can already see/find-out jetty version used, so It wouldn't really matter if that information is included in response header or not.
That may be true, but we could still do our part in hiding this information :)
> if particular jetty version has a vulnerability then we should try to upgrade jetty itself to prevent attacker from exploiting that. or, did this change originate from another reason?
But these jetty upgrades are only fixed in the latest version and customers on older releases can still be exposed to these vulnerabilities. Security is the main reason that prompted this change as this was flagged as an issue from a couple of our internal security reviews.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] hgupta-splunk commented on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
hgupta-splunk commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-639173523
considering Druid is open source, attacker can anyways see/find-out what version of Jetty is being used whether or not that information is present in the response header.
if particular version of jetty has vulnerability then we should upgrade jetty to a more secure version to prevent attacker from exploiting that. or did this patch originate for some other reason ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] hgupta-splunk removed a comment on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
hgupta-splunk removed a comment on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-639173523
considering Druid is open source, attacker can anyways see/find-out what version of Jetty is being used whether or not that information is present in the response header.
if particular version of jetty has vulnerability then we should upgrade jetty to a more secure version to prevent attacker from exploiting that. or did this patch originate for some other reason ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] stale[bot] commented on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
stale[bot] commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-687656988
This pull request/issue has been closed due to lack of activity. If you think that is incorrect, or the pull request requires review, you can revive the PR at any time.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] stale[bot] commented on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
stale[bot] commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-691354626
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
himanshug commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-691251093
@a2l007 I would be OK just removing the header and no config , if you make that change I can merge it. we can mention it in the release notes but I hardly think anyone would be depending on existence of that header.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] stale[bot] commented on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
stale[bot] commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-691354626
This pull request/issue is no longer marked as stale.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug merged pull request #9832: Disable sending server version in response headers
Posted by GitBox <gi...@apache.org>.
himanshug merged pull request #9832:
URL: https://github.com/apache/druid/pull/9832
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] stale[bot] commented on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
stale[bot] commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-670835127
This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the dev@druid.apache.org list. Thank you for your contributions.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
himanshug commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-639193923
> But these jetty upgrades are only fixed in the latest version and customers on older releases can still be exposed to these vulnerabilities.
change here is only giving the user a false sense of security, real and only fix in that situation to prevent attack would be to upgrade to a version of Druid that has sufficiently updated jetty version or else the "prevention" here is not gonna prevent anything but only make "security review" happy.
however, I understand this change could be considered something that makes the attacker's life a teeny tiny bit difficult, so still LGTM.
Personally, I am not sure why we would wanna include it in the header ever and introduce yet another configuration that no-one needs. can we just remove that config and make Druid never send jetty version in the header. I will let other reviewers weigh-in on that.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
himanshug commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-691251093
@a2l007 I would be OK just removing the header and no config , if you make that change I can merge it. we can mention it in the release notes but I hardly think anyone would be depending on existence of that header.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
himanshug commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-691251093
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] stale[bot] closed pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
stale[bot] closed pull request #9832:
URL: https://github.com/apache/druid/pull/9832
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] a2l007 commented on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
a2l007 commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-639081472
Could you please review this? @jon-wei @himanshug
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
himanshug commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-639178915
considering druid is open source, attacker can already see/find-out jetty version used, so It wouldn't really matter if that information is included in response header or not.
if particular jetty version has a vulnerability then we should try to upgrade jetty itself to prevent attacker from exploiting that. or, did this change originate from another reason?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] jihoonson commented on pull request #9832: Add option to toggle sending server version in response headers
Posted by GitBox <gi...@apache.org>.
jihoonson commented on pull request #9832:
URL: https://github.com/apache/druid/pull/9832#issuecomment-691354899
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org