Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HDFS-16766. XML External Entity (XXE) attacks can occur while processing XML received from an untrusted source #4886

Merged
merged 1 commit into from
Sep 27, 2022
Merged

HDFS-16766. XML External Entity (XXE) attacks can occur while processing XML received from an untrusted source #4886

merged 1 commit into from
Sep 27, 2022

Conversation

ashutoshcipher
Copy link
Contributor

@ashutoshcipher ashutoshcipher commented Sep 14, 2022
edited
Loading

Description of PR

JIRA - HDFS-16766

XML External Entity (XXE) attacks can occur while processing XML received from an untrusted source.

Solution - Change done in this PR disables DTDs regardless of the parser type in case the parser changes later to mitigate the issue.

For code changes:

  • Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
  • Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
  • If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
  • If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

@hadoop-yetus
Copy link

💔 -1 overall

Vote Subsystem Runtime Logfile Comment
+0 🆗 reexec 0m 55s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+0 🆗 codespell 0m 1s codespell was not available.
+0 🆗 detsecrets 0m 1s detect-secrets was not available.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
-1 ❌ test4tests 0m 0s The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
_ trunk Compile Tests _
+1 💚 mvninstall 42m 14s trunk passed
+1 💚 compile 1m 14s trunk passed with JDK Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04
+1 💚 compile 1m 5s trunk passed with JDK Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07
+1 💚 checkstyle 0m 40s trunk passed
+1 💚 mvnsite 1m 10s trunk passed
+1 💚 javadoc 0m 58s trunk passed with JDK Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04
+1 💚 javadoc 0m 45s trunk passed with JDK Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07
+1 💚 spotbugs 3m 1s trunk passed
+1 💚 shadedclient 25m 54s branch has no errors when building and testing our client artifacts.
_ Patch Compile Tests _
+1 💚 mvninstall 0m 55s the patch passed
+1 💚 compile 1m 1s the patch passed with JDK Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04
+1 💚 javac 1m 1s the patch passed
+1 💚 compile 0m 51s the patch passed with JDK Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07
+1 💚 javac 0m 51s the patch passed
+1 💚 blanks 0m 0s The patch has no blanks issues.
+1 💚 checkstyle 0m 22s the patch passed
+1 💚 mvnsite 0m 56s the patch passed
+1 💚 javadoc 0m 41s the patch passed with JDK Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04
+1 💚 javadoc 0m 34s the patch passed with JDK Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07
+1 💚 spotbugs 2m 50s the patch passed
+1 💚 shadedclient 25m 52s patch has no errors when building and testing our client artifacts.
_ Other Tests _
+1 💚 unit 2m 26s hadoop-hdfs-client in the patch passed.
+1 💚 asflicense 0m 40s The patch does not generate ASF License warnings.
114m 7s
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4886/1/artifact/out/Dockerfile
GITHUB PR #4886
Optional Tests dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient spotbugs checkstyle codespell detsecrets
uname Linux cede6563a295 4.15.0-191-generic #202-Ubuntu SMP Thu Aug 4 01:49:29 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/bin/hadoop.sh
git revision trunk / 7a3805a
Default Java Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07
Multi-JDK versions /usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.16+8-post-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_342-8u342-b07-0ubuntu1~20.04-b07
Test Results https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4886/1/testReport/
Max. process+thread count 534 (vs. ulimit of 5500)
modules C: hadoop-hdfs-project/hadoop-hdfs-client U: hadoop-hdfs-project/hadoop-hdfs-client
Console output https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-4886/1/console
versions git=2.25.1 maven=3.6.3 spotbugs=4.2.2
Powered by Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

@ashutoshcipher
Copy link
Contributor Author

@aajisaka please help in this PR. Thank you so much.

aajisaka
aajisaka approved these changes Sep 27, 2022
View reviewed changes
Copy link
Member

@aajisaka aajisaka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1. Thank you for your fix, @ashutoshcipher

@aajisaka aajisaka merged commit d9f435f into apache:trunk Sep 27, 2022
aajisaka pushed a commit that referenced this pull request Sep 27, 2022
@ashutoshcipher @aajisaka
HDFS-16766. XML External Entity (XXE) attacks can occur while process…
dea018e 
…ing XML received from an untrusted source (#4886)

Co-authored-by: Ashutosh Gupta <ashugpt@amazon.com>
Signed-off-by: Akira Ajisaka <aajisaka@apache.org>
(cherry picked from commit d9f435f)
aajisaka pushed a commit that referenced this pull request Sep 27, 2022
@ashutoshcipher @aajisaka
HDFS-16766. XML External Entity (XXE) attacks can occur while process…
697cae8 
…ing XML received from an untrusted source (#4886)

Co-authored-by: Ashutosh Gupta <ashugpt@amazon.com>
Signed-off-by: Akira Ajisaka <aajisaka@apache.org>
(cherry picked from commit d9f435f)
@ashutoshcipher
Copy link
Contributor Author

Thanks @aajisaka for reviewing and merging.

@ashutoshcipher ashutoshcipher deleted the HDFS-16766 branch September 27, 2022 07:26
HarshitGupta11 pushed a commit to HarshitGupta11/hadoop that referenced this pull request Nov 28, 2022
@ashutoshcipher
HDFS-16766. XML External Entity (XXE) attacks can occur while process…
464d9a7 
…ing XML received from an untrusted source (apache#4886)

Co-authored-by: Ashutosh Gupta <ashugpt@amazon.com>
Signed-off-by: Akira Ajisaka <aajisaka@apache.org>
jojochuang pushed a commit to jojochuang/hadoop that referenced this pull request May 23, 2023
@ashutoshcipher @rohit-kb
CDPD-46149: HDFS-16766. XML External Entity (XXE) attacks can occur w…
861f30c 
…hile processing XML received from an untrusted source (apache#4886)

Co-authored-by: Ashutosh Gupta <ashugpt@amazon.com>
Signed-off-by: Akira Ajisaka <aajisaka@apache.org>
Change-Id: Id3fc0d9efa49810965c29ceebb2b6f193fc44c52
(cherry picked from commit c55d1a5)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aajisaka aajisaka aajisaka approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ashutoshcipher @hadoop-yetus @aajisaka