You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Enis Soztutar (JIRA)" <ji...@apache.org> on 2016/06/02 19:37:59 UTC
[jira] [Commented] (HBASE-15946) Eliminate possible security
concerns in RS web UI's store file metrics
[ https://issues.apache.org/jira/browse/HBASE-15946?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15312923#comment-15312923 ]
Enis Soztutar commented on HBASE-15946:
---------------------------------------
See the tail of HBASE-7171. [~mantonov] FYI.
> Eliminate possible security concerns in RS web UI's store file metrics
> ----------------------------------------------------------------------
>
> Key: HBASE-15946
> URL: https://issues.apache.org/jira/browse/HBASE-15946
> Project: HBase
> Issue Type: Bug
> Reporter: Sean Mackrory
>
> More from static code analysis: it warns about the invoking of a separate command ("hbase hfile -s -f ...") as a possible security issue in hbase-server/src/main/resources/hbase-webapps/regionserver/storeFile.jsp.
> It looks to me like one cannot inject arbitrary shell script or even arbitrary arguments: ProcessBuilder makes that fairly safe and only allows the user to specify the argument that comes after -f. However that does potentially allow them to have the daemon's user access files they shouldn't be able to touch, albeit only for reading.
> To more explicitly eliminate any threats here, we should add some validation that the file is at least within HBase's root directory and use the Java API directly instead of invoking a separate executable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)