Skip to content

Commit

Permalink
HADOOP-11385. Prevent cross site scripting attack on JMXJSONServlet. …
Browse files Browse the repository at this point in the history 
…Contributed by Haohui Mai.
  • Loading branch information
Haohui Mai committed Dec 18, 2014
1 parent 65f2a4e commit ef1fc51
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 63 deletions.
3 changes: 3 additions & 0 deletions hadoop-common-project/hadoop-common/CHANGES.txt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -614,6 +614,9 @@ Release 2.7.0 - UNRELEASED
HADOOP-11125. Remove redundant tests in TestOsSecureRandom.
(Masanori Oyama via wheat9)

HADOOP-11385. Prevent cross site scripting attack on JMXJSONServlet.
(wheat9)

Release 2.6.0 - 2014-11-18

INCOMPATIBLE CHANGES
Expand Down
46 changes: 18 additions & 28 deletions hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/jmx/JMXJsonServlet.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,12 +17,11 @@

package org.apache.hadoop.jmx;

import java.io.IOException;
import java.io.PrintWriter;
import java.lang.management.ManagementFactory;
import java.lang.reflect.Array;
import java.util.Iterator;
import java.util.Set;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.http.HttpServer2;
import org.codehaus.jackson.JsonFactory;
import org.codehaus.jackson.JsonGenerator;

import javax.management.AttributeNotFoundException;
import javax.management.InstanceNotFoundException;
Expand All @@ -43,12 +42,12 @@
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.http.HttpServer2;
import org.codehaus.jackson.JsonFactory;
import org.codehaus.jackson.JsonGenerator;
import java.io.IOException;
import java.io.PrintWriter;
import java.lang.management.ManagementFactory;
import java.lang.reflect.Array;
import java.util.Iterator;
import java.util.Set;

/*
* This servlet is based off of the JMXProxyServlet from Tomcat 7.0.14. It has
Expand Down Expand Up @@ -114,16 +113,16 @@
*
* The bean's name and modelerType will be returned for all beans.
*
* Optional paramater "callback" should be used to deliver JSONP response.
*
*/
public class JMXJsonServlet extends HttpServlet {
private static final Log LOG = LogFactory.getLog(JMXJsonServlet.class);
static final String ACCESS_CONTROL_ALLOW_METHODS =
"Access-Control-Allow-Methods";
static final String ACCESS_CONTROL_ALLOW_ORIGIN =
"Access-Control-Allow-Origin";

private static final long serialVersionUID = 1L;

private static final String CALLBACK_PARAM = "callback";

/**
* MBean server.
*/
Expand Down Expand Up @@ -164,19 +163,13 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) {
return;
}
JsonGenerator jg = null;
String jsonpcb = null;
PrintWriter writer = null;
try {
writer = response.getWriter();

// "callback" parameter implies JSONP outpout
jsonpcb = request.getParameter(CALLBACK_PARAM);
if (jsonpcb != null) {
response.setContentType("application/javascript; charset=utf8");
writer.write(jsonpcb + "(");
} else {
response.setContentType("application/json; charset=utf8");
}
response.setContentType("application/json; charset=utf8");
response.setHeader(ACCESS_CONTROL_ALLOW_METHODS, "GET");
response.setHeader(ACCESS_CONTROL_ALLOW_ORIGIN, "*");

jg = jsonFactory.createJsonGenerator(writer);
jg.disable(JsonGenerator.Feature.AUTO_CLOSE_TARGET);
Expand Down Expand Up @@ -209,9 +202,6 @@ public void doGet(HttpServletRequest request, HttpServletResponse response) {
if (jg != null) {
jg.close();
}
if (jsonpcb != null) {
writer.write(");");
}
if (writer != null) {
writer.close();
}
Expand Down
48 changes: 13 additions & 35 deletions ...-common-project/hadoop-common/src/test/java/org/apache/hadoop/jmx/TestJMXJsonServlet.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,20 +18,21 @@
package org.apache.hadoop.jmx;


import java.net.URL;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.http.HttpServer2;
import org.apache.hadoop.http.HttpServerFunctionalTest;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.Test;

import java.net.HttpURLConnection;
import java.net.URL;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

import static org.apache.hadoop.jmx.JMXJsonServlet.ACCESS_CONTROL_ALLOW_METHODS;
import static org.apache.hadoop.jmx.JMXJsonServlet.ACCESS_CONTROL_ALLOW_ORIGIN;

public class TestJMXJsonServlet extends HttpServerFunctionalTest {
private static final Log LOG = LogFactory.getLog(TestJMXJsonServlet.class);
private static HttpServer2 server;
private static URL baseUrl;

Expand All @@ -53,54 +54,31 @@ public static void assertReFind(String re, String value) {

@Test public void testQuery() throws Exception {
String result = readOutput(new URL(baseUrl, "/jmx?qry=java.lang:type=Runtime"));
LOG.info("/jmx?qry=java.lang:type=Runtime RESULT: "+result);
assertReFind("\"name\"\\s*:\\s*\"java.lang:type=Runtime\"", result);
assertReFind("\"modelerType\"", result);

result = readOutput(new URL(baseUrl, "/jmx?qry=java.lang:type=Memory"));
LOG.info("/jmx?qry=java.lang:type=Memory RESULT: "+result);
assertReFind("\"name\"\\s*:\\s*\"java.lang:type=Memory\"", result);
assertReFind("\"modelerType\"", result);

result = readOutput(new URL(baseUrl, "/jmx"));
LOG.info("/jmx RESULT: "+result);
assertReFind("\"name\"\\s*:\\s*\"java.lang:type=Memory\"", result);

// test to get an attribute of a mbean
result = readOutput(new URL(baseUrl,
"/jmx?get=java.lang:type=Memory::HeapMemoryUsage"));
LOG.info("/jmx RESULT: "+result);
assertReFind("\"name\"\\s*:\\s*\"java.lang:type=Memory\"", result);
assertReFind("\"committed\"\\s*:", result);

// negative test to get an attribute of a mbean
result = readOutput(new URL(baseUrl,
"/jmx?get=java.lang:type=Memory::"));
LOG.info("/jmx RESULT: "+result);
assertReFind("\"ERROR\"", result);

// test to get JSONP result
result = readOutput(new URL(baseUrl, "/jmx?qry=java.lang:type=Memory&callback=mycallback1"));
LOG.info("/jmx?qry=java.lang:type=Memory&callback=mycallback RESULT: "+result);
assertReFind("^mycallback1\\(\\{", result);
assertReFind("\\}\\);$", result);

// negative test to get an attribute of a mbean as JSONP
result = readOutput(new URL(baseUrl,
"/jmx?get=java.lang:type=Memory::&callback=mycallback2"));
LOG.info("/jmx RESULT: "+result);
assertReFind("^mycallback2\\(\\{", result);
assertReFind("\"ERROR\"", result);
assertReFind("\\}\\);$", result);

// test to get an attribute of a mbean as JSONP
result = readOutput(new URL(baseUrl,
"/jmx?get=java.lang:type=Memory::HeapMemoryUsage&callback=mycallback3"));
LOG.info("/jmx RESULT: "+result);
assertReFind("^mycallback3\\(\\{", result);
assertReFind("\"name\"\\s*:\\s*\"java.lang:type=Memory\"", result);
assertReFind("\"committed\"\\s*:", result);
assertReFind("\\}\\);$", result);

// test to CORS headers
HttpURLConnection conn = (HttpURLConnection)
new URL(baseUrl, "/jmx?qry=java.lang:type=Memory").openConnection();
assertEquals("GET", conn.getHeaderField(ACCESS_CONTROL_ALLOW_METHODS));
assertNotNull(conn.getHeaderField(ACCESS_CONTROL_ALLOW_ORIGIN));
}
}

0 comments on commit ef1fc51

Please sign in to comment.