You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hbase.apache.org by st...@apache.org on 2018/10/18 21:09:20 UTC

hbase git commit: HBASE-21275 - Disable TRACE HTTP method for thrift http server (branch 1 only)

Repository: hbase
Updated Branches:
  refs/heads/branch-1.4 8c1572f87 -> 012ec17bd


HBASE-21275 - Disable TRACE HTTP method for thrift http server (branch 1 only)


Project: http://git-wip-us.apache.org/repos/asf/hbase/repo
Commit: http://git-wip-us.apache.org/repos/asf/hbase/commit/012ec17b
Tree: http://git-wip-us.apache.org/repos/asf/hbase/tree/012ec17b
Diff: http://git-wip-us.apache.org/repos/asf/hbase/diff/012ec17b

Branch: refs/heads/branch-1.4
Commit: 012ec17bd9e48a639c0cd170626cba414e5ba4b3
Parents: 8c1572f
Author: Wellington Chevreuil <we...@ChevreuilWellington-MBP15.local>
Authored: Wed Oct 17 12:11:41 2018 +0100
Committer: Michael Stack <st...@apache.org>
Committed: Thu Oct 18 14:06:25 2018 -0700

----------------------------------------------------------------------
 .../hadoop/hbase/thrift/ThriftServerRunner.java | 10 ++-
 .../hbase/thrift/TestThriftHttpServer.java      | 66 ++++++++++++++++++--
 2 files changed, 69 insertions(+), 7 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/hbase/blob/012ec17b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
----------------------------------------------------------------------
diff --git a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
index 07c18a7..3532ab5 100644
--- a/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
+++ b/hbase-thrift/src/main/java/org/apache/hadoop/hbase/thrift/ThriftServerRunner.java
@@ -100,6 +100,7 @@ import org.apache.hadoop.hbase.thrift.generated.TScan;
 import org.apache.hadoop.hbase.util.Bytes;
 import org.apache.hadoop.hbase.util.ConnectionCache;
 import org.apache.hadoop.hbase.util.DNS;
+import org.apache.hadoop.hbase.util.HttpServerUtil;
 import org.apache.hadoop.hbase.util.JvmPauseMonitor;
 import org.apache.hadoop.hbase.util.Strings;
 import org.apache.hadoop.security.SaslRpcServer.SaslGssCallbackHandler;
@@ -128,6 +129,7 @@ import org.mortbay.jetty.Server;
 import org.mortbay.jetty.nio.SelectChannelConnector;
 import org.mortbay.jetty.servlet.Context;
 import org.mortbay.jetty.servlet.ServletHolder;
+import org.mortbay.jetty.webapp.WebAppContext;
 import org.mortbay.thread.QueuedThreadPool;
 
 import com.google.common.base.Joiner;
@@ -205,6 +207,9 @@ public class ThriftServerRunner implements Runnable {
 
   private final JvmPauseMonitor pauseMonitor;
 
+  static String THRIFT_HTTP_ALLOW_OPTIONS_METHOD = "hbase.thrift.http.allow.options.method";
+  private static boolean THRIFT_HTTP_ALLOW_OPTIONS_METHOD_DEFAULT = false;
+
   /** An enum of server implementation selections */
   enum ImplType {
     HS_HA("hsha", true, THsHaServer.class, true),
@@ -417,11 +422,14 @@ public class ThriftServerRunner implements Runnable {
 
     httpServer = new Server();
     // Context handler
-    Context context = new Context(httpServer, "/", Context.SESSIONS);
+    Context context = new WebAppContext();
     context.setContextPath("/");
+    context.setResourceBase("hbase-webapps/");
     String httpPath = "/*";
     httpServer.setHandler(context);
     context.addServlet(new ServletHolder(thriftHttpServlet), httpPath);
+    HttpServerUtil.constrainHttpMethods(context,
+        conf.getBoolean(THRIFT_HTTP_ALLOW_OPTIONS_METHOD, THRIFT_HTTP_ALLOW_OPTIONS_METHOD_DEFAULT));
 
     // set up Jetty and run the embedded server
     Connector connector = new SelectChannelConnector();

http://git-wip-us.apache.org/repos/asf/hbase/blob/012ec17b/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
----------------------------------------------------------------------
diff --git a/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java b/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
index cf14e87..b21de38 100644
--- a/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
+++ b/hbase-thrift/src/test/java/org/apache/hadoop/hbase/thrift/TestThriftHttpServer.java
@@ -18,10 +18,13 @@
  */
 package org.apache.hadoop.hbase.thrift;
 
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.fail;
 
+import java.net.HttpURLConnection;
+import java.net.URL;
 import java.util.ArrayList;
 import java.util.List;
 
@@ -149,6 +152,46 @@ public class TestThriftHttpServer {
     runThriftServer(0);
   }
 
+  @Test
+  public void testThriftServerHttpTraceForbiddenWhenOptionsDisabled() throws Exception {
+    // HTTP TRACE method should be disabled for security
+    // See https://www.owasp.org/index.php/Cross_Site_Tracing
+    checkHttpMethods("TRACE", HttpURLConnection.HTTP_FORBIDDEN);
+  }
+
+  @Test
+  public void testThriftServerHttpTraceForbiddenWhenOptionsEnabled() throws Exception {
+    // HTTP TRACE method should be disabled for security
+    // See https://www.owasp.org/index.php/Cross_Site_Tracing
+    TEST_UTIL.getConfiguration().setBoolean(ThriftServerRunner.THRIFT_HTTP_ALLOW_OPTIONS_METHOD,
+        true);
+    checkHttpMethods("TRACE", HttpURLConnection.HTTP_FORBIDDEN);
+  }
+
+  @Test
+  public void testThriftServerHttpOptionsForbiddenWhenOptionsDisabled() throws Exception {
+    // HTTP OPTIONS method should be disabled by default, so we make sure
+    // hbase.thrift.http.allow.options.method is not set anywhere in the config
+    TEST_UTIL.getConfiguration().unset(ThriftServerRunner.THRIFT_HTTP_ALLOW_OPTIONS_METHOD);
+    checkHttpMethods("OPTIONS", HttpURLConnection.HTTP_FORBIDDEN);
+  }
+
+  @Test
+  public void testThriftServerHttpOptionsOkWhenOptionsEnabled() throws Exception {
+    TEST_UTIL.getConfiguration().setBoolean(ThriftServerRunner.THRIFT_HTTP_ALLOW_OPTIONS_METHOD,
+        true);
+    checkHttpMethods("OPTIONS", HttpURLConnection.HTTP_OK);
+  }
+
+  private void waitThriftServerStartup() throws Exception{
+    // wait up to 10s for the server to start
+    for (int i = 0; i < 100
+        && ( thriftServer.serverRunner == null ||  thriftServer.serverRunner.httpServer ==
+        null); i++) {
+      Thread.sleep(100);
+    }
+  }
+
   private void runThriftServer(int customHeaderSize) throws Exception {
     List<String> args = new ArrayList<String>();
     port = HBaseTestingUtility.randomFreePort();
@@ -159,12 +202,7 @@ public class TestThriftHttpServer {
     thriftServer = new ThriftServer(TEST_UTIL.getConfiguration());
     startHttpServerThread(args.toArray(new String[args.size()]));
 
-    // wait up to 10s for the server to start
-    for (int i = 0; i < 100
-        && ( thriftServer.serverRunner == null ||  thriftServer.serverRunner.httpServer ==
-        null); i++) {
-      Thread.sleep(100);
-    }
+    waitThriftServerStartup();
 
     try {
       talkToThriftServer(customHeaderSize);
@@ -223,4 +261,20 @@ public class TestThriftHttpServer {
       throw new Exception(httpServerException);
     }
   }
+
+  private void checkHttpMethods(String httpRequestMethod,
+      int httpExpectedResponse) throws Exception {
+    port = HBaseTestingUtility.randomFreePort();
+    thriftServer = new ThriftServer(TEST_UTIL.getConfiguration());
+    try {
+      startHttpServerThread(new String[] { "-port", String.valueOf(port), "start" });
+      waitThriftServerStartup();
+      final URL url = new URL("http://"+ HConstants.LOCALHOST + ":" + port);
+      final HttpURLConnection httpConn = (HttpURLConnection) url.openConnection();
+      httpConn.setRequestMethod(httpRequestMethod);
+      assertEquals(httpExpectedResponse, httpConn.getResponseCode());
+    } finally {
+      stopHttpServerThread();
+    }
+  }
 }