Prevent basic authentication over HTTP#3210
Open
luchua-bc wants to merge 1 commit intoapache:trunkfrom
luchua-bc:trunk
Open
Prevent basic authentication over HTTP#3210luchua-bc wants to merge 1 commit intoapache:trunkfrom luchua-bc:trunk
luchua-bc wants to merge 1 commit intoapache:trunkfrom
luchua-bc:trunk
Conversation
Contributor
|
it is a functional test, which testing http/https endpoints and is not part of production code. |
Author
|
Thanks @hapylestat for looking into the PR. I understand the class is not part of the production code, however, does it make sense to at least change the default implementation from HTTP to HTTPS? That is, use SERVER_SSL_URL_FORMAT instead of SERVER_URL_FORMAT? |
1 task
Contributor
|
@luchua-bc Could you please create the jira ticket with updating the PR summary by prepending issue number? |
Author
|
Thanks @hapylestat for the follow-up. I've created a jira ticket #25588. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
Sensitive information like username and password shall not be sent over the cleartext HTTP channel. Basic authentication only obfuscates username/password in Base64 encoding, which can be easily recognized and reversed.
The class
ambari-funtest/src/test/java/org/apache/ambari/funtest/server/AmbariHttpWebRequest.javasends username and password in basic authentication over an HTTP connection. Sending username and password using the HTTP protocol violates CWE-522 "Insufficiently Protected Credentials".Although the vulnerable class is in the
ambari-funtestpackage, as Ambari is a popular repository of Apache that is watched and used by many users and organizations, whose code could be extended and customized, the issue shall be resolved in my opinion.How was this patch tested?
The change is minimal and only involves one class.
Please investigate and consider merging the PR as well as opening a security advisory if you agree this is a valid issue.
Thanks,
@luchua-bc