You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@spark.apache.org by "chenyu-opensource (via GitHub)" <gi...@apache.org> on 2023/09/28 08:49:50 UTC

[GitHub] [spark] chenyu-opensource opened a new pull request, #43169: [SPARK-45273][CORE][UI] Support for set the access host in http header

chenyu-opensource opened a new pull request, #43169:
URL: https://github.com/apache/spark/pull/43169

   **What changes were proposed in this pull request?**
   The PR supports to set the access host in http header.
   
   **Why are the changes needed?**
   It can avoid http head attack.
   
   **Does this PR introduce any user-facing change?**
   No
   
   **How was this patch tested?**
   add new test
   
   **Was this patch authored or co-authored using generative AI tooling?**
   No


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #43169: [SPARK-45273][CORE][UI] Support for set the access host in http header

Posted by "srowen (via GitHub)" <gi...@apache.org>.

srowen commented on PR #43169:
URL: https://github.com/apache/spark/pull/43169#issuecomment-1739094351

   I don't see any explanation of what this does or why it is useful


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

Re: [PR] [SPARK-45273][CORE][UI] Support for set the access host in http header [spark]

Posted by "srowen (via GitHub)" <gi...@apache.org>.

srowen commented on PR #43169:
URL: https://github.com/apache/spark/pull/43169#issuecomment-1752893775

   How does this arise? Use private@spark.apache.org if needed. I am not clear what attack you have in mind or whether it can affect spark, so, no this would not be useful unless there's an argument it solves something 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

Re: [PR] [SPARK-45273][CORE][UI] Support for set the access host in http header [spark]

Posted by "srowen (via GitHub)" <gi...@apache.org>.

srowen closed pull request #43169: [SPARK-45273][CORE][UI] Support for set the access host in http header
URL: https://github.com/apache/spark/pull/43169


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

Re: [PR] [SPARK-45273][CORE][UI] Support for set the access host in http header [spark]

Posted by "chenyu-opensource (via GitHub)" <gi...@apache.org>.

chenyu-opensource commented on PR #43169:
URL: https://github.com/apache/spark/pull/43169#issuecomment-1752228156

   > There is still no explanation of what problem this solves
   
   HTTP Host header attack is a network security vulnerability that utilizes the "Host" header in HTTP requests. The Host header in the HTTP protocol is used to identify the target server of the HTTP request, indicating which host name or IP address the client wants to access the web application.
   
   If the server directly trusts the Host header without verifying its legitimacy, an attacker may use this controllable variable to inject the Host and manipulate the server's behavior.
   
   This pr used a whitelist method to solve this problem.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

Re: [PR] [SPARK-45273][CORE][UI] Support for set the access host in http header [spark]

Posted by "srowen (via GitHub)" <gi...@apache.org>.

srowen commented on PR #43169:
URL: https://github.com/apache/spark/pull/43169#issuecomment-1752068415

   There is still no explanation of what problem this solves


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

Re: [PR] [SPARK-45273][CORE][UI] Support for set the access host in http header [spark]

Posted by "chenyu-opensource (via GitHub)" <gi...@apache.org>.

chenyu-opensource commented on PR #43169:
URL: https://github.com/apache/spark/pull/43169#issuecomment-1752551346

   > Attack _what_?
   
   It may cause the transmission of malicious code and It may cause cache pollution and password reset.
   I have already used this method to solve this problem in the production environment, and after vulnerability scanning, the problem did not occur.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

Re: [PR] [SPARK-45273][CORE][UI] Support for set the access host in http header [spark]

Posted by "beliefer (via GitHub)" <gi...@apache.org>.

beliefer commented on PR #43169:
URL: https://github.com/apache/spark/pull/43169#issuecomment-1751638530

   @chenyu-opensource Please add more detail in description.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

Re: [PR] [SPARK-45273][CORE][UI] Support for set the access host in http header [spark]

Posted by "srowen (via GitHub)" <gi...@apache.org>.

srowen commented on PR #43169:
URL: https://github.com/apache/spark/pull/43169#issuecomment-1752235011

   What 'trusts' a host header in Spark? what happens if it's spoofed?
   This is still not explaining the issue.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

Re: [PR] [SPARK-45273][CORE][UI] Support for set the access host in http header [spark]

Posted by "srowen (via GitHub)" <gi...@apache.org>.

srowen commented on PR #43169:
URL: https://github.com/apache/spark/pull/43169#issuecomment-1752256992

   Attack _what_? 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] chenyu-opensource commented on pull request #43169: [SPARK-45273][CORE][UI] Support for set the access host in http header

Posted by "chenyu-opensource (via GitHub)" <gi...@apache.org>.

chenyu-opensource commented on PR #43169:
URL: https://github.com/apache/spark/pull/43169#issuecomment-1738745045

   Please give me a review when you have time.@srowen 
   Thank you so much.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

Re: [PR] [SPARK-45273][CORE][UI] Support for set the access host in http header [spark]

Posted by "chenyu-opensource (via GitHub)" <gi...@apache.org>.

chenyu-opensource commented on PR #43169:
URL: https://github.com/apache/spark/pull/43169#issuecomment-1752241889

   > What 'trusts' a host header in Spark? what happens if it's spoofed? This is still not explaining the issue.
   
   What I mean is that there are no restrictions on request headers in Spark itself, which means that the client can freely pass through the server, so attackers can use this variable parameter to attack.
   This pr helps us that when setting the parameter 'host' in HTTP header request, we can verify this parameter instead of directly letting it pass.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

Re: [PR] [SPARK-45273][CORE][UI] Support for set the access host in http header [spark]

Posted by "chenyu-opensource (via GitHub)" <gi...@apache.org>.

chenyu-opensource commented on PR #43169:
URL: https://github.com/apache/spark/pull/43169#issuecomment-1751929641

   > I don't see any explanation of what this does or why it is useful
   
   I had submit a new commit for description.
   This pr is  to solve the problem of request header attacks. We should add filtering logic to set access whitelist for request headers.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org