You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/09/30 08:50:00 UTC
[jira] [Updated] (YARN-10972) Remove stack traces from Jetty's
response for Security Reasons
[ https://issues.apache.org/jira/browse/YARN-10972?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
ASF GitHub Bot updated YARN-10972:
----------------------------------
Labels: pull-request-available (was: )
> Remove stack traces from Jetty's response for Security Reasons
> --------------------------------------------------------------
>
> Key: YARN-10972
> URL: https://issues.apache.org/jira/browse/YARN-10972
> Project: Hadoop YARN
> Issue Type: Improvement
> Reporter: Tamas Domok
> Assignee: Tamas Domok
> Priority: Major
> Labels: pull-request-available
> Time Spent: 10m
> Remaining Estimate: 0h
>
> *HttpServer2* uses the default error handler for Jetty which renders the stack-trace in the response's output. This is a potential security vulnerability.
>
> The stack-trace could be disabled on normal log levels, e.g.:
> {code:java}
> webAppContext.getErrorHandler().setShowStacks(LOG.isTraceEnabled()); {code}
>
> *Verbose Error Messages*
> During the test it has been revealed that in case of some requests, server
> throws out an error exception. The exception message may contains a lot of
> detailed technical information, including filenames, absolute paths, but also
> libraries, classes and methods used. This information might be crucial in
> conducting other, critical attacks (like Arbitrary File Read, Code Execution or
> platform specific attacks). Such detail information should be available only to
> application developers and system administrators and should never be revealed to the end user.
> [https://cwe.mitre.org/data/definitions/209.html]
>
> *Before:*
> {code:java}
> curl "http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok"curl "http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok"<html><head><meta http-equiv="Content-Type" content="text/html;charset=utf-8"/><title>Error 500 java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</title></head><body><h2>HTTP ERROR 500 java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</h2><table><tr><th>URI:</th><td>/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>STATUS:</th><td>500</td></tr><tr><th>MESSAGE:</th><td>java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>SERVLET:</th><td>org.apache.hadoop.http.WebServlet-ccb4b1b</td></tr><tr><th>CAUSED BY:</th><td>java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>CAUSED BY:</th><td>java.net.URISyntaxException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr></table><h3>Caused by:</h3><pre>java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml at java.net.URI.create(URI.java:852) at javax.ws.rs.core.UriBuilder.fromUri(UriBuilder.java:95) at com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:911) at com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:875) at org.apache.hadoop.yarn.server.resourcemanager.webapp.RMWebAppFilter.doFilter(RMWebAppFilter.java:180) at com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:829) at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121) at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:650) at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:592) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1827) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146) at org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:179) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.Server.handle(Server.java:516) at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:137) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) at java.lang.Thread.run(Thread.java:748)Caused by: java.net.URISyntaxException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml at java.net.URI$Parser.fail(URI.java:2847) at java.net.URI$Parser.checkChars(URI.java:3020) at java.net.URI$Parser.parseHierarchical(URI.java:3104) at java.net.URI$Parser.parse(URI.java:3052) at java.net.URI.<init>(URI.java:588) at java.net.URI.create(URI.java:850) ... 51 more</pre>
> </body></html>{code}
>
> *After:*
> {code:java}
> curl "http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok"
> <html>
> <head>
> <meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
> <title>Error 500 java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</title>
> </head>
> <body><h2>HTTP ERROR 500 java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</h2>
> <table>
> <tr><th>URI:</th><td>/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr>
> <tr><th>STATUS:</th><td>500</td></tr>
> <tr><th>MESSAGE:</th><td>java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr>
> <tr><th>SERVLET:</th><td>org.apache.hadoop.http.WebServlet-ccb4b1b</td></tr>
> <tr><th>CAUSED BY:</th><td>java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr>
> <tr><th>CAUSED BY:</th><td>java.net.URISyntaxException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr>
> </table></body>
> </html> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org