You are viewing a plain text version of this content. The canonical link for it is here.
Posted to yarn-issues@hadoop.apache.org by "Tamas Domok (Jira)" <ji...@apache.org> on 2021/09/30 08:47:00 UTC
[jira] [Created] (YARN-10972) Remove stack traces from Jetty's
response for Security Reasons
Tamas Domok created YARN-10972:
----------------------------------
Summary: Remove stack traces from Jetty's response for Security Reasons
Key: YARN-10972
URL: https://issues.apache.org/jira/browse/YARN-10972
Project: Hadoop YARN
Issue Type: Improvement
Reporter: Tamas Domok
Assignee: Tamas Domok
*HttpServer2* uses the default error handler for Jetty which renders the stack-trace in the response's output. This is a potential security vulnerability.
The stack-trace could be disabled on normal log levels, e.g.:
{code:java}
webAppContext.getErrorHandler().setShowStacks(LOG.isTraceEnabled()); {code}
*Verbose Error Messages*
During the test it has been revealed that in case of some requests, server
throws out an error exception. The exception message may contains a lot of
detailed technical information, including filenames, absolute paths, but also
libraries, classes and methods used. This information might be crucial in
conducting other, critical attacks (like Arbitrary File Read, Code Execution or
platform specific attacks). Such detail information should be available only to
application developers and system administrators and should never be revealed to the end user.
[https://cwe.mitre.org/data/definitions/209.html]
*Before:*
{code:java}
curl "http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok"curl "http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok"<html><head><meta http-equiv="Content-Type" content="text/html;charset=utf-8"/><title>Error 500 java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</title></head><body><h2>HTTP ERROR 500 java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</h2><table><tr><th>URI:</th><td>/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>STATUS:</th><td>500</td></tr><tr><th>MESSAGE:</th><td>java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>SERVLET:</th><td>org.apache.hadoop.http.WebServlet-ccb4b1b</td></tr><tr><th>CAUSED BY:</th><td>java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr><tr><th>CAUSED BY:</th><td>java.net.URISyntaxException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr></table><h3>Caused by:</h3><pre>java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml at java.net.URI.create(URI.java:852) at javax.ws.rs.core.UriBuilder.fromUri(UriBuilder.java:95) at com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:911) at com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:875) at org.apache.hadoop.yarn.server.resourcemanager.webapp.RMWebAppFilter.doFilter(RMWebAppFilter.java:180) at com.sun.jersey.spi.container.servlet.ServletContainer.doFilter(ServletContainer.java:829) at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121) at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:650) at org.apache.hadoop.security.authentication.server.AuthenticationFilter.doFilter(AuthenticationFilter.java:592) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.apache.hadoop.http.HttpServer2$QuotingInputFilter.doFilter(HttpServer2.java:1827) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.apache.hadoop.http.NoCacheFilter.doFilter(NoCacheFilter.java:45) at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:193) at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1601) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:548) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:602) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:235) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1624) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:233) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1434) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:188) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:501) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1594) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:186) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1349) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:146) at org.eclipse.jetty.server.handler.StatisticsHandler.handle(StatisticsHandler.java:179) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127) at org.eclipse.jetty.server.Server.handle(Server.java:516) at org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:388) at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:633) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:380) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:277) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:311) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105) at org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:338) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:315) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:173) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:137) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:883) at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1034) at java.lang.Thread.run(Thread.java:748)Caused by: java.net.URISyntaxException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml at java.net.URI$Parser.fail(URI.java:2847) at java.net.URI$Parser.checkChars(URI.java:3020) at java.net.URI$Parser.parseHierarchical(URI.java:3104) at java.net.URI$Parser.parse(URI.java:3052) at java.net.URI.<init>(URI.java:588) at java.net.URI.create(URI.java:850) ... 51 more</pre>
</body></html>{code}
*After:*
{code:java}
curl "http://localhost:8088/faces/javax.faces.resource/..\\WEB-INF/web.xml?user.name=tdomok"
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 500 java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</title>
</head>
<body><h2>HTTP ERROR 500 java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</h2>
<table>
<tr><th>URI:</th><td>/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr>
<tr><th>STATUS:</th><td>500</td></tr>
<tr><th>MESSAGE:</th><td>java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr>
<tr><th>SERVLET:</th><td>org.apache.hadoop.http.WebServlet-ccb4b1b</td></tr>
<tr><th>CAUSED BY:</th><td>java.lang.IllegalArgumentException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr>
<tr><th>CAUSED BY:</th><td>java.net.URISyntaxException: Illegal character in path at index 51: http://localhost:8088/faces/javax.faces.resource/..\WEB-INF/web.xml</td></tr>
</table></body>
</html> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: yarn-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: yarn-issues-help@hadoop.apache.org