You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@zeppelin.apache.org by mo...@apache.org on 2017/03/21 20:00:18 UTC

zeppelin git commit: [ZEPPELIN-2288] Fix Cross-Site WebSocket check

Repository: zeppelin
Updated Branches:
  refs/heads/master 89a1c53f2 -> 29dc3da1e


[ZEPPELIN-2288] Fix Cross-Site WebSocket check

Change-Id: Iad87ebe0b5dd6bd67a12e47fe83fbd0e1e71bda9

### What is this PR for?

ZEPPELIN-173 implemented an optional check for the Origin header during the websocket connection creation. This check is no longer active since jetty is upgraded to 9 as the checkOrigin method is no longer called automatically.

This fix, just calls the existing check from the WebsocketCreator manually.

### What type of PR is it?
Bug Fix

### Todos

### What is the Jira issue?

https://issues.apache.org/jira/browse/ZEPPELIN-2288

### How should this be tested?

1. Set `zeppelin.server.allowed.origins` in zeppelin-site.xml other than the default `*`. Eg. `xxxx`
2. Start zeppelin
3. Try to open the zeppelin ws conection with different origin:

```
curl 'http://localhost:8080/ws' -H 'Host: localhost:8080' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:47.0) Gecko/20100101 Firefox/47.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' --compressed -H 'Sec-WebSocket-Version: 13' -H 'origin: http://other:8080' -H 'Sec-WebSocket-Extensions: permessage-deflate' -H 'Sec-WebSocket-Key: BpiqAMwZaQUJQ//NtEaQPw==' -H 'Connection: keep-alive, Upgrade' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' -H 'Upgrade: websocket'
```

4. The websocket creation should be failed if the origin is not localhost or not the string configurated at 2.

### Screenshots (if appropriate)

### Questions:
* Does the licenses files need update? No
* Is there breaking changes for older versions? No
* Does this needs documentation? No

Author: Elek, M�rton <el...@users.noreply.github.com>

Closes #2166 from elek/ZEPPELIN-2288 and squashes the following commits:

74b37a4 [Elek, M�rton] [ZEPPELIN-2288] Fix Cross-Site WebSocket check


Project: http://git-wip-us.apache.org/repos/asf/zeppelin/repo
Commit: http://git-wip-us.apache.org/repos/asf/zeppelin/commit/29dc3da1
Tree: http://git-wip-us.apache.org/repos/asf/zeppelin/tree/29dc3da1
Diff: http://git-wip-us.apache.org/repos/asf/zeppelin/diff/29dc3da1

Branch: refs/heads/master
Commit: 29dc3da1e12fd7e035c1878431720410131c0b0a
Parents: 89a1c53
Author: Elek, M�rton <el...@users.noreply.github.com>
Authored: Mon Mar 20 15:23:51 2017 +0100
Committer: Lee moon soo <mo...@apache.org>
Committed: Tue Mar 21 13:00:15 2017 -0700

----------------------------------------------------------------------
 .../zeppelin/socket/NotebookWebSocketCreator.java    | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/zeppelin/blob/29dc3da1/zeppelin-server/src/main/java/org/apache/zeppelin/socket/NotebookWebSocketCreator.java
----------------------------------------------------------------------
diff --git a/zeppelin-server/src/main/java/org/apache/zeppelin/socket/NotebookWebSocketCreator.java b/zeppelin-server/src/main/java/org/apache/zeppelin/socket/NotebookWebSocketCreator.java
index 1b8e2f4..7033929 100644
--- a/zeppelin-server/src/main/java/org/apache/zeppelin/socket/NotebookWebSocketCreator.java
+++ b/zeppelin-server/src/main/java/org/apache/zeppelin/socket/NotebookWebSocketCreator.java
@@ -19,18 +19,31 @@ package org.apache.zeppelin.socket;
 import org.eclipse.jetty.websocket.servlet.ServletUpgradeRequest;
 import org.eclipse.jetty.websocket.servlet.ServletUpgradeResponse;
 import org.eclipse.jetty.websocket.servlet.WebSocketCreator;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import static org.apache.zeppelin.conf.ZeppelinConfiguration.ConfVars.ZEPPELIN_ALLOWED_ORIGINS;
 
 /**
  * Responsible to create the WebSockets for the NotebookServer.
  */
 public class NotebookWebSocketCreator implements WebSocketCreator {
+
+  private static final Logger LOG = LoggerFactory.getLogger(NotebookWebSocketCreator.class);
   private NotebookServer notebookServer;
 
   public NotebookWebSocketCreator(NotebookServer notebookServer) {
     this.notebookServer = notebookServer;
   }
   public Object createWebSocket(ServletUpgradeRequest request, ServletUpgradeResponse response) {
-    return new NotebookSocket(request.getHttpServletRequest(), "", notebookServer);
+    String origin = request.getHeader("Origin");
+    if (notebookServer.checkOrigin(request.getHttpServletRequest(), origin)) {
+      return new NotebookSocket(request.getHttpServletRequest(), "", notebookServer);
+    } else {
+      LOG.error("Websocket request is not allowed by {} settings. Origin: {}",
+          ZEPPELIN_ALLOWED_ORIGINS, origin);
+      return null;
+    }
   }
 
 }