You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@spark.apache.org by yanboliang <gi...@git.apache.org> on 2016/05/20 07:13:53 UTC
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
GitHub user yanboliang opened a pull request:
https://github.com/apache/spark/pull/13218
[SPARK-15440] [Core] [Deploy] Add CSRF Filter for REST APIs to Spark
## What changes were proposed in this pull request?
CSRF prevention for REST APIs can be provided through a common servlet filter. This filter would check for the existence of an custom HTTP header - such as ```X-XSRF-Header```.
The fact that CSRF attacks are entirely browser based means that the above approach can ensure that requests are coming from either: applications served by the same origin as the REST API or that there is explicit policy configuration that allows the setting of a header on XmlHttpRequest from another origin.
We have done similar work for Hadoop (https://issues.apache.org/jira/browse/HADOOP-12691) and other components.
## How was this patch tested?
Unit tests.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/yanboliang/spark spark-15440
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/spark/pull/13218.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #13218
----
commit 93b1c6f7f75b8b32246d1949e775ac091b02a7e3
Author: Yanbo Liang <yb...@gmail.com>
Date: 2016-05-20T07:12:05Z
Add CSRF Filter for REST APIs to Spark
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by SparkQA <gi...@git.apache.org>.
Github user SparkQA commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220590546
**[Test build #58986 has started](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/58986/consoleFull)** for PR 13218 at commit [`93b1c6f`](https://github.com/apache/spark/commit/93b1c6f7f75b8b32246d1949e775ac091b02a7e3).
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by jerryshao <gi...@git.apache.org>.
Github user jerryshao commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220543333
Hi @yanboliang , from my understanding, we may also have rest servlet in Spark live UI and history UI, do we also need to address the issue in that place?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by SparkQA <gi...@git.apache.org>.
Github user SparkQA commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220595397
**[Test build #58990 has started](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/58990/consoleFull)** for PR 13218 at commit [`93b1c6f`](https://github.com/apache/spark/commit/93b1c6f7f75b8b32246d1949e775ac091b02a7e3).
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by AmplabJenkins <gi...@git.apache.org>.
Github user AmplabJenkins commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220592490
Merged build finished. Test FAILed.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by SparkQA <gi...@git.apache.org>.
Github user SparkQA commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220592464
**[Test build #58986 has finished](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/58986/consoleFull)** for PR 13218 at commit [`93b1c6f`](https://github.com/apache/spark/commit/93b1c6f7f75b8b32246d1949e775ac091b02a7e3).
* This patch **fails MiMa tests**.
* This patch merges cleanly.
* This patch adds no public classes.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by SparkQA <gi...@git.apache.org>.
Github user SparkQA commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220552432
**[Test build #58965 has finished](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/58965/consoleFull)** for PR 13218 at commit [`93b1c6f`](https://github.com/apache/spark/commit/93b1c6f7f75b8b32246d1949e775ac091b02a7e3).
* This patch **fails Spark unit tests**.
* This patch merges cleanly.
* This patch adds no public classes.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by SparkQA <gi...@git.apache.org>.
Github user SparkQA commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220534995
**[Test build #58965 has started](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/58965/consoleFull)** for PR 13218 at commit [`93b1c6f`](https://github.com/apache/spark/commit/93b1c6f7f75b8b32246d1949e775ac091b02a7e3).
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by AmplabJenkins <gi...@git.apache.org>.
Github user AmplabJenkins commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220552640
Test FAILed.
Refer to this link for build results (access rights to CI server needed):
https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder/58965/
Test FAILed.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark issue #13218: [SPARK-15440] [Core] [Deploy] Add CSRF Filter for REST A...
Posted by vanzin <gi...@git.apache.org>.
Github user vanzin commented on the issue:
https://github.com/apache/spark/pull/13218
@andrewor14 might be able to comment on compatibility; enabling this by default might cause previous spark-submit versions to not be able to submit to the newer server, although with the "major version" change I don't know how important that is.
I don't think the live UI or history server have any POST endpoints. This could be added there but would really do anything.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by yanboliang <gi...@git.apache.org>.
Github user yanboliang commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220578931
@jerryshao Yes, Spark live UI and history UI should use form post CSRF protection which is different from REST protection, i will do it in a separate task.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by srowen <gi...@git.apache.org>.
Github user srowen commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220574588
I don't get what this does or why it fixes something -- is there a reference? it just seems like it adds a header that anyone could add.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark issue #13218: [SPARK-15440] [Core] [Deploy] Add CSRF Filter for REST A...
Posted by yanboliang <gi...@git.apache.org>.
Github user yanboliang commented on the issue:
https://github.com/apache/spark/pull/13218
Updated PR at #14052 , close this one.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by srowen <gi...@git.apache.org>.
Github user srowen commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220582880
I haven't seen this used for CSRF before. It is simple and I get the basic attacks it prevents. It does mean a breaking change to the API and means browser-based POSTs to the API no longer work... or does it? I can add this header with a request I form with javascript. If I can get a user to request a link I want them to, can't I do the same to subvert this protection?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark issue #13218: [SPARK-15440] [Core] [Deploy] Add CSRF Filter for REST A...
Posted by steveloughran <gi...@git.apache.org>.
Github user steveloughran commented on the issue:
https://github.com/apache/spark/pull/13218
I can see there is fear of breaking things, especially with third party clients. There's also the risk of cross-version submissions; the REST API is meant to be stable enough for backwards compatibility. Adding a mandatory new header will break things.
At the same time, its something to defend against.
What about having
1. the clients always send the header.
1. the server having the option to install the filter.
1. the security docs discussing this.
1. the REST API docs pointing to that section.
With the clients alway posting the header, they're going to work with endpoints where the filter is turned on, and yet still work with those turned off. The biggest impact here is that 1+ test case of the REST API will have to turn on that filter, others will need to have it disabled, so that both submission paths can be checked.
There's a side issue: should OPTIONS and TRACE be allowed anyway? They're generally filtered on the basis that all they can do is expose unintentional security holes. That said, Hadoop SPNEGO auth usually does an OPTIONS Call to open the negotiation over a new ticket —purely because it is so harmless in day-today-HTTP.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by yanboliang <gi...@git.apache.org>.
Github user yanboliang commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220590376
Jenkins, test this please.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by yanboliang <gi...@git.apache.org>.
Github user yanboliang commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220579938
@srowen CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. So CSRF protection is very important to Spark UI and REST API. We have done similar work to protect components in Hadoop at https://issues.apache.org/jira/browse/HADOOP-12691 . You can refer https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) and https://issues.apache.org/jira/secure/attachment/12781473/CSRFProtectionforRESTAPIs.pdf for more information. Thanks!
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by AmplabJenkins <gi...@git.apache.org>.
Github user AmplabJenkins commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220621981
Merged build finished. Test PASSed.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by AmplabJenkins <gi...@git.apache.org>.
Github user AmplabJenkins commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220621985
Test PASSed.
Refer to this link for build results (access rights to CI server needed):
https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder/58990/
Test PASSed.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by yanboliang <gi...@git.apache.org>.
Github user yanboliang commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220594829
@srowen
1. The CSRF protection is for REST API, so it is different with other CSRF protection way because REST API is called from user endpoint and the server can't set something like random token beforehand that other CSRF methods must use.
2. Why adding a custom header is useful, because in HTML page, the only way to create a HTTP request with a custom header is using XMLHttpRequest or Flash, but browser has a security policy called same-origin policy which prevent HTTP request sending to other domain URL.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by AmplabJenkins <gi...@git.apache.org>.
Github user AmplabJenkins commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220592491
Test FAILed.
Refer to this link for build results (access rights to CI server needed):
https://amplab.cs.berkeley.edu/jenkins//job/SparkPullRequestBuilder/58986/
Test FAILed.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark issue #13218: [SPARK-15440] [Core] [Deploy] Add CSRF Filter for REST A...
Posted by zjffdu <gi...@git.apache.org>.
Github user zjffdu commented on the issue:
https://github.com/apache/spark/pull/13218
Just quickly go through the PR. I think we can add an option to enable CSRF protection and by default it could be false so that we don't introduce incompatibility and break the existing application.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by SparkQA <gi...@git.apache.org>.
Github user SparkQA commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220621668
**[Test build #58990 has finished](https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder/58990/consoleFull)** for PR 13218 at commit [`93b1c6f`](https://github.com/apache/spark/commit/93b1c6f7f75b8b32246d1949e775ac091b02a7e3).
* This patch passes all tests.
* This patch merges cleanly.
* This patch adds no public classes.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request #13218: [SPARK-15440] [Core] [Deploy] Add CSRF Filter for...
Posted by yanboliang <gi...@git.apache.org>.
Github user yanboliang closed the pull request at:
https://github.com/apache/spark/pull/13218
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request #13218: [SPARK-15440] [Core] [Deploy] Add CSRF Filter for...
Posted by steveloughran <gi...@git.apache.org>.
Github user steveloughran commented on a diff in the pull request:
https://github.com/apache/spark/pull/13218#discussion_r67489509
--- Diff: core/src/main/scala/org/apache/spark/deploy/rest/RestCsrfPreventionFilter.scala ---
@@ -0,0 +1,56 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+* See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.spark.deploy.rest
+
+import javax.servlet._
+import javax.servlet.http.{HttpServletRequest, HttpServletResponse}
+
+/**
+ * This filter provides protection against cross site request forgery (CSRF)
+ * attacks for REST APIs. Enabling this filter on an endpoint results in the
+ * requirement of all client to send a particular HTTP header (X-XSRF-HEADER)
+ * with every request. In the absense of this header the filter will reject the
+ * attempt as a bad request.
+ */
+private[spark] class RestCsrfPreventionFilter extends Filter {
+
+ import RestCsrfPreventionFilter._
+
+ def init(filterConfig: FilterConfig): Unit = {}
+
+ def doFilter(
+ servletRequest: ServletRequest,
+ servletResponse: ServletResponse,
+ filterChain: FilterChain): Unit = {
+ val httpReq = servletRequest.asInstanceOf[HttpServletRequest]
--- End diff --
to be strict here, there ought to be check for the request being an `HttpServletRequest`. That said, there is no other subclass of `ServletRequest` which is ever seen in the wild.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by yanboliang <gi...@git.apache.org>.
Github user yanboliang commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220594882
Jenkins, test this please.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org
[GitHub] spark pull request: [SPARK-15440] [Core] [Deploy] Add CSRF Filter ...
Posted by AmplabJenkins <gi...@git.apache.org>.
Github user AmplabJenkins commented on the pull request:
https://github.com/apache/spark/pull/13218#issuecomment-220552639
Merged build finished. Test FAILed.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org