You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/12/12 01:50:00 UTC
[jira] [Commented] (KAFKA-7715) Connect should have a parameter to
disable WADL output for OPTIONS method
[ https://issues.apache.org/jira/browse/KAFKA-7715?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16718352#comment-16718352 ]
ASF GitHub Bot commented on KAFKA-7715:
---------------------------------------
avocader opened a new pull request #6025: KAFKA-7715: Added a configuration parameter to Connect which disables WADL output for OPTIONS method.
URL: https://github.com/apache/kafka/pull/6025
Currently, Connect REST endpoint replies to `OPTIONS` request with verbose WADL information, which could be used for an attack.
It's not recommended for the production system to expose that information, but for the backward-compatibility reasons, it may still be available by default, with a possibility to turn it off by setting `rest.wadl.enable=false`.
Added unit tests in `RestServerTest`, which asserts that `Content-type` is either `application/vnd.sun.wadl+xml` if `rest.wadl.enable=true` or `rest.wadl.enable` is not set; or `text/plain` otherwise.
### Committer Checklist (excluded from commit message)
- [ ] Verify design and implementation
- [ ] Verify test coverage and CI build status
- [ ] Verify documentation (including upgrade notes)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
> Connect should have a parameter to disable WADL output for OPTIONS method
> -------------------------------------------------------------------------
>
> Key: KAFKA-7715
> URL: https://issues.apache.org/jira/browse/KAFKA-7715
> Project: Kafka
> Issue Type: Improvement
> Components: config, security
> Affects Versions: 2.1.0
> Reporter: Oleksandr Diachenko
> Priority: Critical
> Fix For: 2.1.1
>
>
> Currently, Connect REST API exposes WADL output on OPTIONS method:
> {code:bash}
> curl -i -X OPTIONS http://localhost:8083/connectors
> HTTP/1.1 200 OK
> Date: Fri, 07 Dec 2018 22:51:53 GMT
> Content-Type: application/vnd.sun.wadl+xml
> Allow: HEAD,POST,GET,OPTIONS
> Last-Modified: Fri, 07 Dec 2018 14:51:53 PST
> Content-Length: 1331
> Server: Jetty(9.4.12.v20180830)
> <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
> <application xmlns="http://wadl.dev.java.net/2009/02">
> <doc xmlns:jersey="http://jersey.java.net/" jersey:generatedBy="Jersey: 2.27 2018-04-10 07:34:57"/>
> <grammars>
> <include href="http://localhost:8083/application.wadl/xsd0.xsd">
> <doc title="Generated" xml:lang="en"/>
> </include>
> </grammars>
> <resources base="http://localhost:8083/">
> <resource path="connectors">
> <method id="createConnector" name="POST">
> <request>
> <param xmlns:xs="http://www.w3.org/2001/XMLSchema" name="forward" style="query" type="xs:boolean"/>
> <representation mediaType="application/json"/>
> </request>
> <response>
> <representation mediaType="application/json"/>
> </response>
> </method>
> <method id="listConnectors" name="GET">
> <request>
> <param xmlns:xs="http://www.w3.org/2001/XMLSchema" name="forward" style="query" type="xs:boolean"/>
> </request>
> <response>
> <representation mediaType="application/json"/>
> </response>
> </method>
> </resource>
> </resources>
> </application>
> {code}
> This can be a potential vulnerability, so it makes sense to have a configuration parameter, which disables WADL output.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)