HADOOP-13299. JMXJsonServlet is vulnerable to TRACE. (Haibo Chen via kasha)

Author: Karthik Kambatla

hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java

@@ -147,7 +147,16 @@ protected boolean isInstrumentationAccessAllowed(HttpServletRequest request,
     return HttpServer2.isInstrumentationAccessAllowed(getServletContext(),
         request, response);
   }
-  
+
+  /**
+   * Disable TRACE method to avoid TRACE vulnerability.
+   */
+  @Override
+  protected void doTrace(HttpServletRequest req, HttpServletResponse resp)
+      throws ServletException, IOException {
+    resp.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+  }
+
   /**
    * Process a GET request for the specified resource.
    * 

hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java

@@ -24,6 +24,8 @@
 import org.junit.BeforeClass;
 import org.junit.Test;
 
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.URL;
 import java.util.regex.Matcher;
@@ -81,4 +83,15 @@ public static void assertReFind(String re, String value) {
     assertEquals("GET", conn.getHeaderField(ACCESS_CONTROL_ALLOW_METHODS));
     assertNotNull(conn.getHeaderField(ACCESS_CONTROL_ALLOW_ORIGIN));
   }
+
+  @Test
+  public void testTraceRequest() throws IOException {
+    URL url = new URL(baseUrl, "/jmx");
+    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+    conn.setRequestMethod("TRACE");
+
+    assertEquals("Unexpected response code",
+        HttpServletResponse.SC_METHOD_NOT_ALLOWED, conn.getResponseCode());
+  }
+
 }