You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by "Matthias (Jira)" <ji...@apache.org> on 2021/01/11 14:06:00 UTC

[jira] [Comment Edited] (FLINK-20916) JobManagerCustomLogHandlerTest.testGetJobManagerCustomLogsExistingButForbiddenFileWithObfuscatedPath can be deleted

    [ https://issues.apache.org/jira/browse/FLINK-20916?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17262648#comment-17262648 ] 

Matthias edited comment on FLINK-20916 at 1/11/21, 2:05 PM:
------------------------------------------------------------

Thanks for bringing this up, [~gn_nate]. You're right - the test does not follow the specification report by CVE-2020-17519. By looking into that issue, I also realize that the test itself does not test the functionality it should test as the {{JobManagerCustomLogHandler}} does not decode the URL encoding at all. The URL parsing and decoding happens already earlier in the process (see [RouteHandler|https://github.com/apache/flink/blob/c6997c97c575d334679915c328792b8a3067cfb5/flink-runtime/src/main/java/org/apache/flink/runtime/rest/handler/router/RouterHandler.java#L86]) and does not need to be tested individually in this test class. Hence, this testcase is obsolete: The solution is to delete it. I updated the issue's title accordingly.


was (Author: mapohl):
Thanks for bringing this up, [~gn_nate]. You're right - the test does not follow the specification report by CVE-2020-17519. By looking into that issue, I also realize that the test itself does not test the functionality it should test as the {{JobManagerCustomLogHandler}} does not decode the URL encoding at all. The URL parsing and decoding happens already earlier in the process and does not need to be test individually in this test class. Hence, this testcase is obsolete: The solution is to delete it. I updated the issue's title accordingly.

> JobManagerCustomLogHandlerTest.testGetJobManagerCustomLogsExistingButForbiddenFileWithObfuscatedPath can be deleted
> -------------------------------------------------------------------------------------------------------------------
>
>                 Key: FLINK-20916
>                 URL: https://issues.apache.org/jira/browse/FLINK-20916
>             Project: Flink
>          Issue Type: Bug
>          Components: Runtime / REST
>            Reporter: nate
>            Assignee: Matthias
>            Priority: Trivial
>
>  
> The [testGetJobManagerCustomLogsExistingButForbiddenFileWithObfuscatedPath|https://github.com/apache/flink/blob/b561010b0ee741543c3953306037f00d7a9f0801/flink-runtime/src/test/java/org/apache/flink/runtime/rest/handler/cluster/JobManagerCustomLogHandlerTest.java#L149] test for CVE-2020-17519 Path Traversal has a typo that causes it to inaccurately test for the vuln. 
> It uses for format string "..%%252%s" when it should be "..%%252f%s".



--
This message was sent by Atlassian Jira
(v8.3.4#803005)