You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zeppelin.apache.org by pr...@apache.org on 2017/08/16 00:21:53 UTC
[1/7] zeppelin git commit: [ZEPPELIN-2014] Jetty Directory Listing on
app, assets, components, and scripts
Repository: zeppelin
Updated Branches:
refs/heads/branch-0.7 5f308547c -> d0ee507bc
[ZEPPELIN-2014] Jetty Directory Listing on app, assets, components, and scripts
### What is this PR for?
Added property for enable/disable public access to directories on server from Web
### What type of PR is it?
[Bug Fix]
### What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-2014
### How should this be tested?
Run application and try get list of files in app directory from web.
You will see a response with the code 403. Previously, we saw all files in the directory.
Change property "zeppelin.server.default.dir.allowed" to true and restart server.
Try again, all files should be visible.
### Questions:
* Does the licenses files need update? No
* Is there breaking changes for older versions? No
* Does this needs documentation? Yes
Author: Viktor Boginskii <Vi...@epam.com>
Closes #1962 from vboginskii/ZEPPELIN-2014 and squashes the following commits:
c06ec30 [Viktor Boginskii] [ZEPPELIN-2014] Added property for control public access to directories on server.
Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/556a211d
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/556a211d
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/556a211d
Branch: refs/heads/branch-0.7
Commit: 556a211dba41af7f29485120f48e27510f87a931
Parents: 5f30854
Author: Viktor Boginskii <Vi...@epam.com>
Authored: Mon Jan 30 19:15:27 2017 +0200
Committer: Prabhjyot Singh <pr...@gmail.com>
Committed: Tue Aug 15 11:07:12 2017 -0700
----------------------------------------------------------------------
conf/zeppelin-site.xml.template | 6 ++
docs/install/configuration.md | 6 ++
.../apache/zeppelin/server/ZeppelinServer.java | 3 +
.../apache/zeppelin/security/DirAccessTest.java | 59 ++++++++++++++++++++
.../zeppelin/conf/ZeppelinConfiguration.java | 3 +-
5 files changed, 76 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/556a211d/conf/zeppelin-site.xml.template
----------------------------------------------------------------------
diff --git a/conf/zeppelin-site.xml.template b/conf/zeppelin-site.xml.template
index 2efe796..620f2be 100755
--- a/conf/zeppelin-site.xml.template
+++ b/conf/zeppelin-site.xml.template
@@ -322,4 +322,10 @@
<description>Size in characters of the maximum text message to be received by websocket. Defaults to 1024000</description>
</property>
+<property>
+ <name>zeppelin.server.default.dir.allowed</name>
+ <value>false</value>
+ <description>Enable directory listings on server.</description>
+</property>
+
</configuration>
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/556a211d/docs/install/configuration.md
----------------------------------------------------------------------
diff --git a/docs/install/configuration.md b/docs/install/configuration.md
index f3ec5a6..81f2730 100644
--- a/docs/install/configuration.md
+++ b/docs/install/configuration.md
@@ -280,6 +280,12 @@ If both are defined, then the **environment variables** will take priority.
<td>1024000</td>
<td>Size (in characters) of the maximum text message that can be received by websocket.</td>
</tr>
+ <tr>
+ <td>ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED</td>
+ <td>zeppelin.server.default.dir.allowed</td>
+ <td>false</td>
+ <td>Enable directory listings on server.</td>
+ </tr>
</table>
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/556a211d/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
index ac58843..abce92f 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
@@ -350,6 +350,9 @@ public class ZeppelinServer extends Application {
webApp.addFilter(new FilterHolder(CorsFilter.class), "/*",
EnumSet.allOf(DispatcherType.class));
+ webApp.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed",
+ Boolean.toString(conf.getBoolean(ConfVars.ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED)));
+
return webApp;
}
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/556a211d/zeppelin-server/src/test/java/org/apache/zeppelin/security/DirAccessTest.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/test/java/org/apache/zeppelin/security/DirAccessTest.java b/zeppelin-server/src/test/java/org/apache/zeppelin/security/DirAccessTest.java
new file mode 100644
index 0000000..820d0ba
--- /dev/null
+++ b/zeppelin-server/src/test/java/org/apache/zeppelin/security/DirAccessTest.java
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.zeppelin.security;
+
+import org.apache.commons.httpclient.HttpClient;
+import org.apache.commons.httpclient.HttpStatus;
+import org.apache.commons.httpclient.methods.GetMethod;
+import org.apache.zeppelin.conf.ZeppelinConfiguration;
+import org.apache.zeppelin.rest.AbstractTestRestApi;
+import org.junit.Test;
+
+public class DirAccessTest extends AbstractTestRestApi {
+
+ @Test
+ public void testDirAccessForbidden() throws Exception {
+ System.setProperty(ZeppelinConfiguration.ConfVars.ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED.getVarName(), "false");
+ AbstractTestRestApi.startUpWithAuthenticationEnable();
+ HttpClient httpClient = new HttpClient();
+ GetMethod getMethod = new GetMethod(getUrlToTest() + "/app/");
+ httpClient.executeMethod(getMethod);
+ AbstractTestRestApi.shutDown();
+ assert getMethod.getStatusCode() == HttpStatus.SC_FORBIDDEN;
+ }
+
+ @Test
+ public void testDirAccessOk() throws Exception {
+ System.setProperty(ZeppelinConfiguration.ConfVars.ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED.getVarName(), "true");
+ AbstractTestRestApi.startUpWithAuthenticationEnable();
+ HttpClient httpClient = new HttpClient();
+ GetMethod getMethod = new GetMethod(getUrlToTest() + "/app/");
+ httpClient.executeMethod(getMethod);
+ AbstractTestRestApi.shutDown();
+ assert getMethod.getStatusCode() == HttpStatus.SC_OK;
+ }
+
+ protected static String getUrlToTest() {
+ String url = "http://localhost:8080";
+ if (System.getProperty("url") != null) {
+ url = System.getProperty("url");
+ }
+ return url;
+ }
+}
+
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/556a211d/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
----------------------------------------------------------------------
diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
index 0c1b50b..cf2832f 100644
--- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
+++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
@@ -616,7 +616,8 @@ public class ZeppelinConfiguration extends XMLConfiguration {
ZEPPELIN_ALLOWED_ORIGINS("zeppelin.server.allowed.origins", "*"),
ZEPPELIN_ANONYMOUS_ALLOWED("zeppelin.anonymous.allowed", true),
ZEPPELIN_CREDENTIALS_PERSIST("zeppelin.credentials.persist", true),
- ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE("zeppelin.websocket.max.text.message.size", "1024000");
+ ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE("zeppelin.websocket.max.text.message.size", "1024000"),
+ ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false);
private String varName;
@SuppressWarnings("rawtypes")
[7/7] zeppelin git commit: [ZEPPELIN-2775] Strict-Transport-Security
and X-XSS-Protection Headers
Posted by pr...@apache.org.
[ZEPPELIN-2775] Strict-Transport-Security and X-XSS-Protection Headers
The HTTP Strict-Transport-Security response header (often abbreviated as HSTS) is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP.
Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.
The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
[Bug Fix | Improvement ]
* [ZEPPELIN-2775](https://issues.apache.org/jira/browse/ZEPPELIN-2775)
Make a curl call to Zeppelin? Go to Chrome Browser and select "More Tools" -> "Developer Tools" from the right-side menu. Under Network Section, select any request and check for "Response Headers". You should see below headers along with existing ones.
> strict-transport-security:max-age=631138519
> x-xss-protection:1; mode=block
<img width="1436" alt="screen shot 2017-07-14 at 8 19 14 pm" src="https://user-images.githubusercontent.com/6433184/28217231-16ce6cee-68d2-11e7-91aa-77ad083612c7.png">
* Does this needs documentation?
Author: krishna-pandey <kr...@gmail.com>
Closes #2492 from krishna-pandey/ZEPPELIN-2775 and squashes the following commits:
7d9978e49 [krishna-pandey] Modified Documentation as per review.
6733289ed [krishna-pandey] Adding documentation for HTTP Security Headers
754d2d71e [krishna-pandey] Supplying String instead of Int (required for Response Header)
468231cc6 [krishna-pandey] Added configurable Strict-Transport-Security and X-XSS-Protection Headers
Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/d0ee507b
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/d0ee507b
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/d0ee507b
Branch: refs/heads/branch-0.7
Commit: d0ee507bc13bd26da33bd1ec9286581b1edef05b
Parents: 4a0a6bf
Author: krishna-pandey <kr...@gmail.com>
Authored: Tue Aug 15 11:14:18 2017 -0700
Committer: Prabhjyot Singh <pr...@gmail.com>
Committed: Tue Aug 15 11:14:18 2017 -0700
----------------------------------------------------------------------
conf/zeppelin-site.xml.template | 14 +++
docs/_includes/themes/zeppelin/_navigation.html | 1 +
docs/index.md | 1 +
docs/security/http_security_headers.md | 110 +++++++++++++++++++
.../org/apache/zeppelin/server/CorsFilter.java | 7 +-
.../zeppelin/conf/ZeppelinConfiguration.java | 12 +-
6 files changed, 143 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d0ee507b/conf/zeppelin-site.xml.template
----------------------------------------------------------------------
diff --git a/conf/zeppelin-site.xml.template b/conf/zeppelin-site.xml.template
index c7c878b..ec24719 100755
--- a/conf/zeppelin-site.xml.template
+++ b/conf/zeppelin-site.xml.template
@@ -343,4 +343,18 @@
</property>
-->
+<!--
+<property>
+ <name>zeppelin.server.strict.transport</name>
+ <value>max-age=631138519</value>
+ <description>The HTTP Strict-Transport-Security response header is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. Enable this when Zeppelin is running on HTTPS. Value is in Seconds, the default value is equivalent to 20 years.</description>
+</property>
+-->
+<!--
+<property>
+ <name>zeppelin.server.xxss.protection</name>
+ <value>1</value>
+ <description>The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. When value is set to 1 and a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).</description>
+</property>
+-->
</configuration>
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d0ee507b/docs/_includes/themes/zeppelin/_navigation.html
----------------------------------------------------------------------
diff --git a/docs/_includes/themes/zeppelin/_navigation.html b/docs/_includes/themes/zeppelin/_navigation.html
index a53036b..dca27ef 100644
--- a/docs/_includes/themes/zeppelin/_navigation.html
+++ b/docs/_includes/themes/zeppelin/_navigation.html
@@ -114,6 +114,7 @@
<li><a href="{{BASE_PATH}}/security/shiroauthentication.html">Shiro Authentication</a></li>
<li><a href="{{BASE_PATH}}/security/notebook_authorization.html">Notebook Authorization</a></li>
<li><a href="{{BASE_PATH}}/security/datasource_authorization.html">Data Source Authorization</a></li>
+ <li><a href="{{BASE_PATH}}/security/http_security_headers.html">HTTP Security Headers</a></li>
<li><a href="{{BASE_PATH}}/security/helium_authorization.html">Helium Authorization</a></li>
<li role="separator" class="divider"></li>
<li class="title"><span><b>Advanced</b><span></li>
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d0ee507b/docs/index.md
----------------------------------------------------------------------
diff --git a/docs/index.md b/docs/index.md
index b7cf8db..33e5b4a 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -172,6 +172,7 @@ Join to our [Mailing list](https://zeppelin.apache.org/community.html) and repor
* [Shiro Authentication](./security/shiroauthentication.html)
* [Notebook Authorization](./security/notebook_authorization.html)
* [Data Source Authorization](./security/datasource_authorization.html)
+ * [HTTP Security Headers](./security/http_security_headers.html)
* [Helium Authorization](./security/helium_authorization.html)
* Advanced
* [Apache Zeppelin on Vagrant VM](./install/virtual_machine.html)
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d0ee507b/docs/security/http_security_headers.md
----------------------------------------------------------------------
diff --git a/docs/security/http_security_headers.md b/docs/security/http_security_headers.md
new file mode 100644
index 0000000..1c55d18
--- /dev/null
+++ b/docs/security/http_security_headers.md
@@ -0,0 +1,110 @@
+---
+layout: page
+title: "Setting up HTTP Response Headers"
+description: "There are multiple HTTP Security Headers which can be configured in Apache Zeppelin. This page describes how to enable them by providing appropriate value in Zeppelin configuration file."
+group: setup/security
+---
+<!--
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+{% include JB/setup %}
+
+# Setting up HTTP Response Headers for Zeppelin
+
+<div id="toc"></div>
+
+Apache Zeppelin can be configured to include HTTP Headers which aids in preventing Cross Site Scripting (XSS), Cross-Frame Scripting (XFS) and also enforces HTTP Strict Transport Security. Apache Zeppelin also has configuration available to set the Application Server Version to desired value.
+
+## Setting up HTTP Strict Transport Security (HSTS) Response Header
+
+Enabling HSTS Response Header prevents Man-in-the-middle attacks by automatically redirecting HTTP requests to HTTPS when Zeppelin Server is running on SSL. Read on how to configure SSL for Zeppelin [here] (../operation/configuration.html). Even if web page contains any resource which gets served over HTTP or any HTTP links, it will automatically be redirected to HTTPS for the target domain.
+It also prevents MITM attack by not allowing User to override the invalid certificate message, when Attacker presents invalid SSL certificate to the User.
+
+The following property needs to be updated in the zeppelin-site.xml in order to enable HSTS. You can choose appropriate value for "max-age".
+
+```
+<property>
+ <name>zeppelin.server.strict.transport</name>
+ <value>max-age=631138519</value>
+ <description>The HTTP Strict-Transport-Security response header is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. Enable this when Zeppelin is running on HTTPS. Value is in Seconds, the default value is equivalent to 20 years.</description>
+</property>
+```
+
+
+Possible values are:
+
+* max-age=\<expire-time>
+* max-age=\<expire-time>; includeSubDomains
+* max-age=\<expire-time>; preload
+
+Read more about HSTS [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security).
+
+## Setting up X-XSS-PROTECTION Header
+
+The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari Web browsers that initiates configured action when they detect reflected cross-site scripting (XSS) attacks.
+
+The following property needs to be updated in the zeppelin-site.xml in order to set X-XSS-PROTECTION header.
+
+```
+<property>
+ <name>zeppelin.server.xxss.protection</name>
+ <value>1; mode=block</value>
+ <description>The HTTP X-XSS-Protection response header is a feature of Internet Explorer, Chrome and Safari that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. When value is set to 1 and a cross-site scripting attack is detected, the browser will sanitize the page (remove the unsafe parts).</description>
+</property>
+```
+
+
+You can choose appropriate value from below.
+
+* 0 (Disables XSS filtering)
+* 1 (Enables XSS filtering. If a cross-site scripting attack is detected, the browser will sanitize the page.)
+* 1; mode=block (Enables XSS filtering. The browser will prevent rendering of the page if an attack is detected.)
+
+Read more about HTTP X-XSS-Protection response header [here](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection).
+
+## Setting up X-Frame-Options Header
+
+The X-Frame-Options HTTP response header can indicate browser to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites in a `<frame>`,`<iframe>` or `<object>`.
+
+The following property needs to be updated in the zeppelin-site.xml in order to set X-Frame-Options header.
+
+```
+<property>
+ <name>zeppelin.server.xframe.options</name>
+ <value>SAMEORIGIN</value>
+ <description>The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame/iframe/object.</description>
+</property>
+```
+
+
+You can choose appropriate value from below.
+
+* DENY
+* SAMEORIGIN
+* ALLOW-FROM _uri_
+
+## Setting up Server Header
+
+Security conscious organisations does not want to reveal the Application Server name and version to prevent finding this information easily by Attacker while fingerprinting the Application. The exact version number can tell an Attacker if the current Application Server is patched for or vulnerable to certain publicly known CVE associated to it.
+
+The following property needs to be updated in the zeppelin-site.xml in order to set Server header.
+
+```
+<property>
+ <name>zeppelin.server.jetty.name</name>
+ <value>Jetty(7.6.0.v20120127)</value>
+ <description>Hardcoding Application Server name to Prevent Fingerprinting</description>
+</property>
+```
+
+The value can be any "String".
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d0ee507b/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java b/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
index d29af7b..3a74bf4 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
@@ -80,7 +80,12 @@ public class CorsFilter implements Filter {
DateFormat fullDateFormatEN =
DateFormat.getDateTimeInstance(DateFormat.FULL, DateFormat.FULL, new Locale("EN", "en"));
response.addHeader("Date", fullDateFormatEN.format(new Date()));
- response.addHeader("X-FRAME-OPTIONS", ZeppelinConfiguration.create().getXFrameOptions());
+ ZeppelinConfiguration zeppelinConfiguration = ZeppelinConfiguration.create();
+ response.addHeader("X-FRAME-OPTIONS", zeppelinConfiguration.getXFrameOptions());
+ if (zeppelinConfiguration.useSsl()) {
+ response.addHeader("Strict-Transport-Security", zeppelinConfiguration.getStrictTransport());
+ }
+ response.addHeader("X-XSS-Protection", zeppelinConfiguration.getXxssProtection());
}
@Override
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d0ee507b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
----------------------------------------------------------------------
diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
index d2bb648..242a890 100644
--- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
+++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
@@ -484,6 +484,14 @@ public class ZeppelinConfiguration extends XMLConfiguration {
return getString(ConfVars.ZEPPELIN_SERVER_XFRAME_OPTIONS);
}
+ public String getXxssProtection() {
+ return getString(ConfVars.ZEPPELIN_SERVER_X_XSS_PROTECTION);
+ }
+
+ public String getStrictTransport() {
+ return getString(ConfVars.ZEPPELIN_SERVER_STRICT_TRANSPORT);
+ }
+
public Map<String, String> dumpConfigurations(ZeppelinConfiguration conf,
ConfigurationKeyPredicate predicate) {
@@ -629,7 +637,9 @@ public class ZeppelinConfiguration extends XMLConfiguration {
ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE("zeppelin.websocket.max.text.message.size", "1024000"),
ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false),
ZEPPELIN_SERVER_XFRAME_OPTIONS("zeppelin.server.xframe.options", "SAMEORIGIN"),
- ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", null);
+ ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", null),
+ ZEPPELIN_SERVER_STRICT_TRANSPORT("zeppelin.server.strict.transport", "max-age=631138519"),
+ ZEPPELIN_SERVER_X_XSS_PROTECTION("zeppelin.server.xxss.protection", "1");
private String varName;
@SuppressWarnings("rawtypes")
[6/7] zeppelin git commit: [ZEPPELIN-2769] Prevent SQL injection for
GetUserList.getUserList.
Posted by pr...@apache.org.
[ZEPPELIN-2769] Prevent SQL injection for GetUserList.getUserList.
### What is this PR for?
Prevent SQL injection for ```GetUserList.getUserList```.
### What type of PR is it?
Improvement
### What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-2769
Author: Yanbo Liang <yb...@gmail.com>
Closes #2487 from yanboliang/zeppelin-2769 and squashes the following commits:
d1a7ff9b [Yanbo Liang] Prevent SQL injection for GetUserList.getUserList.
Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/4a0a6bfc
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/4a0a6bfc
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/4a0a6bfc
Branch: refs/heads/branch-0.7
Commit: 4a0a6bfc43ea69121f5a4dc49b63d931a45d2d8e
Parents: d2907b5
Author: Yanbo Liang <yb...@gmail.com>
Authored: Wed Jul 12 15:25:05 2017 +0800
Committer: Prabhjyot Singh <pr...@gmail.com>
Committed: Tue Aug 15 11:08:45 2017 -0700
----------------------------------------------------------------------
.../src/main/java/org/apache/zeppelin/rest/GetUserList.java | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/4a0a6bfc/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java b/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java
index f0e3740..7452c93 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/rest/GetUserList.java
@@ -231,7 +231,7 @@ public class GetUserList {
return userlist;
}
- userquery = "select " + username + " from " + tablename;
+ userquery = "select ? from ?";
} catch (IllegalAccessException e) {
LOG.error("Error while accessing dataSource for JDBC Realm", e);
@@ -241,6 +241,8 @@ public class GetUserList {
try {
Connection con = dataSource.getConnection();
ps = con.prepareStatement(userquery);
+ ps.setString(1, username);
+ ps.setString(2, tablename);
rs = ps.executeQuery();
while (rs.next()) {
userlist.add(rs.getString(1).trim());
[2/7] zeppelin git commit: [ZEPPELIN-2461] Masking Jetty Server
version with User-configurable parameter
Posted by pr...@apache.org.
[ZEPPELIN-2461] Masking Jetty Server version with User-configurable parameter
### What is this PR for?
Security conscious organisations does not want to reveal the Application Server name and version to prevent Script-kiddies from finding the information easily when fingerprinting the Application. The exact version number can tell an Attacker if the current Application Server is patched for or vulnerable to certain publicly known CVE associated to it.
### What type of PR is it?
[Improvement | Feature]
### What is the Jira issue?
* [ZEPPELIN-2461](https://issues.apache.org/jira/browse/ZEPPELIN-2461)
### How should this be tested?
Providing a value in zeppelin-site.xml will replace the actual Jetty server version found in HTTP Header with provided value. E.g.
- edit zeppelin-site.xml and add a property `zeppelin.server.jetty.name` and with value say `TOMCAT`
- restart the server
- open the app in browser then observe the Response Headers for the key "Server" this should now reflect "TOMCAT"
### Screenshots (if appropriate)
### Questions:
* Does the licenses files need update? N/A
* Is there breaking changes for older versions? N/A
* Does this needs documentation? N/A
Author: krishna-pandey <kr...@gmail.com>
Closes #2293 from krishna-pandey/ZEPPELIN-2461 and squashes the following commits:
b071f7ad0 [krishna-pandey] Set App Server name to config value
Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/5ead465e
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/5ead465e
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/5ead465e
Branch: refs/heads/branch-0.7
Commit: 5ead465e5e7d5226128c5e46517463aeabc17370
Parents: 556a211
Author: krishna-pandey <kr...@gmail.com>
Authored: Thu Apr 27 16:14:33 2017 +0530
Committer: Prabhjyot Singh <pr...@gmail.com>
Committed: Tue Aug 15 11:07:59 2017 -0700
----------------------------------------------------------------------
conf/zeppelin-site.xml.template | 8 ++++++++
.../main/java/org/apache/zeppelin/server/ZeppelinServer.java | 3 +++
.../java/org/apache/zeppelin/conf/ZeppelinConfiguration.java | 7 ++++++-
3 files changed, 17 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/5ead465e/conf/zeppelin-site.xml.template
----------------------------------------------------------------------
diff --git a/conf/zeppelin-site.xml.template b/conf/zeppelin-site.xml.template
index 620f2be..85341c3 100755
--- a/conf/zeppelin-site.xml.template
+++ b/conf/zeppelin-site.xml.template
@@ -328,4 +328,12 @@
<description>Enable directory listings on server.</description>
</property>
+<!--
+<property>
+ <name>zeppelin.server.jetty.name</name>
+ <value>Jetty(7.6.0.v20120127)</value>
+ <description>Hardcoding Application Server name to Prevent Fingerprinting</description>
+</property>
+-->
+
</configuration>
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/5ead465e/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
index abce92f..fdd2530 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/server/ZeppelinServer.java
@@ -187,6 +187,9 @@ public class ZeppelinServer extends Application {
LOG.info("Starting zeppelin server");
try {
jettyWebServer.start(); //Instantiates ZeppelinServer
+ if (conf.getJettyName() != null) {
+ org.eclipse.jetty.http.HttpGenerator.setJettyVersion(conf.getJettyName());
+ }
} catch (Exception e) {
LOG.error("Error while running jettyServer", e);
System.exit(-1);
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/5ead465e/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
----------------------------------------------------------------------
diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
index cf2832f..97ad60d 100644
--- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
+++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
@@ -475,6 +475,10 @@ public class ZeppelinConfiguration extends XMLConfiguration {
return getString(ConfVars.ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE);
}
+ public String getJettyName() {
+ return getString(ConfVars.ZEPPELIN_SERVER_JETTY_NAME);
+ }
+
public Map<String, String> dumpConfigurations(ZeppelinConfiguration conf,
ConfigurationKeyPredicate predicate) {
Map<String, String> configurations = new HashMap<>();
@@ -617,7 +621,8 @@ public class ZeppelinConfiguration extends XMLConfiguration {
ZEPPELIN_ANONYMOUS_ALLOWED("zeppelin.anonymous.allowed", true),
ZEPPELIN_CREDENTIALS_PERSIST("zeppelin.credentials.persist", true),
ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE("zeppelin.websocket.max.text.message.size", "1024000"),
- ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false);
+ ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false),
+ ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", null);
private String varName;
@SuppressWarnings("rawtypes")
[5/7] zeppelin git commit: [ZEPPELIN-2765] Configurable
X-FRAME-OPTIONS for Zeppelin
Posted by pr...@apache.org.
[ZEPPELIN-2765] Configurable X-FRAME-OPTIONS for Zeppelin
### What is this PR for?
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks, by ensuring that their content is not embedded into other sites. Set the X-Frame-Options header for all responses containing HTML content. The possible values are "DENY", "SAMEORIGIN", or "ALLOW-FROM uri"
### What type of PR is it?
[Bug Fix | Improvement ]
### What is the Jira issue?
* [ZEPPELIN-2765](https://issues.apache.org/jira/browse/ZEPPELIN-2765)
### How should this be tested?
The application (Zeppelin) loads in iframe. Put below code in a html file and open in browser:
<iframe src="{http_proto}://{zeppelin_host}:{zeppelin_port}/#/" width="100%" height="600"></iframe>
Author: krishna-pandey <kr...@gmail.com>
Closes #2482 from krishna-pandey/ZEPPELIN-2765 and squashes the following commits:
948d9c0e9 [krishna-pandey] Removed hyphen from the value
518f1a4a2 [krishna-pandey] Configurable X-FRAME-OPTIONS for Zeppelin
Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/d2907b5c
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/d2907b5c
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/d2907b5c
Branch: refs/heads/branch-0.7
Commit: d2907b5c14adeb9d626cec54ca10ea4d82fa73c2
Parents: fc02cdb
Author: krishna-pandey <kr...@gmail.com>
Authored: Wed Jul 12 11:30:58 2017 +0530
Committer: Prabhjyot Singh <pr...@gmail.com>
Committed: Tue Aug 15 11:08:34 2017 -0700
----------------------------------------------------------------------
conf/zeppelin-site.xml.template | 7 +++++++
.../src/main/java/org/apache/zeppelin/server/CorsFilter.java | 1 +
.../java/org/apache/zeppelin/conf/ZeppelinConfiguration.java | 7 +++++++
3 files changed, 15 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d2907b5c/conf/zeppelin-site.xml.template
----------------------------------------------------------------------
diff --git a/conf/zeppelin-site.xml.template b/conf/zeppelin-site.xml.template
index 85341c3..c7c878b 100755
--- a/conf/zeppelin-site.xml.template
+++ b/conf/zeppelin-site.xml.template
@@ -335,5 +335,12 @@
<description>Hardcoding Application Server name to Prevent Fingerprinting</description>
</property>
-->
+<!--
+<property>
+ <name>zeppelin.server.xframe.options</name>
+ <value>SAMEORIGIN</value>
+ <description>The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame/iframe/object.</description>
+</property>
+-->
</configuration>
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d2907b5c/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java b/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
index 3fccf1f..d29af7b 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java
@@ -80,6 +80,7 @@ public class CorsFilter implements Filter {
DateFormat fullDateFormatEN =
DateFormat.getDateTimeInstance(DateFormat.FULL, DateFormat.FULL, new Locale("EN", "en"));
response.addHeader("Date", fullDateFormatEN.format(new Date()));
+ response.addHeader("X-FRAME-OPTIONS", ZeppelinConfiguration.create().getXFrameOptions());
}
@Override
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/d2907b5c/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
----------------------------------------------------------------------
diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
index 97ad60d..d2bb648 100644
--- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
+++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
@@ -479,6 +479,12 @@ public class ZeppelinConfiguration extends XMLConfiguration {
return getString(ConfVars.ZEPPELIN_SERVER_JETTY_NAME);
}
+
+ public String getXFrameOptions() {
+ return getString(ConfVars.ZEPPELIN_SERVER_XFRAME_OPTIONS);
+ }
+
+
public Map<String, String> dumpConfigurations(ZeppelinConfiguration conf,
ConfigurationKeyPredicate predicate) {
Map<String, String> configurations = new HashMap<>();
@@ -622,6 +628,7 @@ public class ZeppelinConfiguration extends XMLConfiguration {
ZEPPELIN_CREDENTIALS_PERSIST("zeppelin.credentials.persist", true),
ZEPPELIN_WEBSOCKET_MAX_TEXT_MESSAGE_SIZE("zeppelin.websocket.max.text.message.size", "1024000"),
ZEPPELIN_SERVER_DEFAULT_DIR_ALLOWED("zeppelin.server.default.dir.allowed", false),
+ ZEPPELIN_SERVER_XFRAME_OPTIONS("zeppelin.server.xframe.options", "SAMEORIGIN"),
ZEPPELIN_SERVER_JETTY_NAME("zeppelin.server.jetty.name", null);
private String varName;
[3/7] zeppelin git commit: [ZEPPELIN-2733] Remove System Information
Leak in Authentication.java.
Posted by pr...@apache.org.
[ZEPPELIN-2733] Remove System Information Leak in Authentication.java.
### What is this PR for?
An information leak occurs when system data or debugging information leaves the program through an output stream or logging function.
In the file Authentication.java,
```
Line 137: LOG.debug("Encrypted user key is {}", userKey);
Line 148: LOG.debug("IV is {}, IV length is {}", initVector, initVector.length());
```
These lines may print information which can reveal some important data to user making it vulnerable to attacks, we should not log this sensitive information.
### What type of PR is it?
[Improvement]
### What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-2733
### How should this be tested?
Existing tests.
### Screenshots (if appropriate)
### Questions:
* Does the licenses files need update? - No
* Is there breaking changes for older versions? - No
* Does this needs documentation? - No
Author: Yanbo Liang <yb...@gmail.com>
Closes #2468 from yanboliang/zeppelin-2733 and squashes the following commits:
ce485ae [Yanbo Liang] Remove System Information Leak in Authentication.java.
Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/465b0ba2
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/465b0ba2
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/465b0ba2
Branch: refs/heads/branch-0.7
Commit: 465b0ba2556420d5d1424ef9206e129f07e164e9
Parents: 5ead465
Author: Yanbo Liang <yb...@gmail.com>
Authored: Thu Jul 6 14:31:15 2017 +0800
Committer: Prabhjyot Singh <pr...@gmail.com>
Committed: Tue Aug 15 11:08:12 2017 -0700
----------------------------------------------------------------------
.../notebook/repo/zeppelinhub/security/Authentication.java | 2 --
1 file changed, 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/465b0ba2/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java
----------------------------------------------------------------------
diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java
index 4b8b42d..76968e4 100644
--- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java
+++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java
@@ -134,7 +134,6 @@ public class Authentication implements Runnable {
// returns login:password
private String getAuthKey(String userKey) {
- LOG.debug("Encrypted user key is {}", userKey);
if (StringUtils.isBlank(userKey)) {
LOG.warn("ZEPPELINHUB_USER_KEY is blank");
return StringUtils.EMPTY;
@@ -145,7 +144,6 @@ public class Authentication implements Runnable {
}
private String decrypt(String value, String initVector) {
- LOG.debug("IV is {}, IV length is {}", initVector, initVector.length());
if (StringUtils.isBlank(value) || StringUtils.isBlank(initVector)) {
LOG.error("String to decode or salt is not provided");
return StringUtils.EMPTY;
[4/7] zeppelin git commit: [ZEPPELIN-2757] Enhance Authentication
decrypting key generation.
Posted by pr...@apache.org.
[ZEPPELIN-2757] Enhance Authentication decrypting key generation.
### What is this PR for?
Enhance ```Authentication``` decrypting key generation by random ```KeyGenerator```.
### What type of PR is it?
Improvement
### What is the Jira issue?
https://issues.apache.org/jira/browse/ZEPPELIN-2757
Author: Yanbo Liang <yb...@gmail.com>
Closes #2475 from yanboliang/zeppelin-2757 and squashes the following commits:
ccf1595c [Yanbo Liang] Use LOG.warn rather than printStackTrace.
60f04095 [Yanbo Liang] Enhance Authentication decrypting key generation.
Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/fc02cdb1
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/fc02cdb1
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/fc02cdb1
Branch: refs/heads/branch-0.7
Commit: fc02cdb157fe0043fa396c44d49a4c171710483e
Parents: 465b0ba
Author: Yanbo Liang <yb...@gmail.com>
Authored: Wed Jul 19 12:11:26 2017 +0800
Committer: Prabhjyot Singh <pr...@gmail.com>
Committed: Tue Aug 15 11:08:24 2017 -0700
----------------------------------------------------------------------
.../repo/zeppelinhub/security/Authentication.java | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/zeppelin/blob/fc02cdb1/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java
----------------------------------------------------------------------
diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java
index 76968e4..fd5142b 100644
--- a/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java
+++ b/zeppelin-zengine/src/main/java/org/apache/zeppelin/notebook/repo/zeppelinhub/security/Authentication.java
@@ -4,10 +4,13 @@ import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.GeneralSecurityException;
import java.security.Key;
+import java.security.SecureRandom;
import java.util.Collections;
import java.util.Map;
import javax.crypto.Cipher;
+import javax.crypto.KeyGenerator;
+import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
@@ -193,7 +196,16 @@ public class Authentication implements Runnable {
}
private Key generateKey() {
- return new SecretKeySpec(toBytes(KEY), CIPHER_ALGORITHM);
+ try {
+ KeyGenerator kgen = KeyGenerator.getInstance(CIPHER_ALGORITHM);
+ kgen.init(128, new SecureRandom(toBytes(KEY)));
+ SecretKey secretKey = kgen.generateKey();
+ byte[] enCodeFormat = secretKey.getEncoded();
+ return new SecretKeySpec(enCodeFormat, CIPHER_ALGORITHM);
+ } catch (Exception e) {
+ LOG.warn("Cannot generate key for decryption", e);
+ }
+ return null;
}
private byte[] toBytes(String value) {