HDDS-2158. Fixing Json Injection Issue in JsonUtils. (#1486)

This commit is contained in:
Hanisha Koneru 2019-10-04 12:52:29 -07:00 committed by GitHub
parent f3eaa84f9d
commit 8de4374427
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
18 changed files with 34 additions and 47 deletions

View File

@ -54,7 +54,7 @@ public class ContainerInfo implements Comparator<ContainerInfo>,
mapper.setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY); mapper.setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY);
mapper mapper
.setVisibility(PropertyAccessor.GETTER, JsonAutoDetect.Visibility.NONE); .setVisibility(PropertyAccessor.GETTER, JsonAutoDetect.Visibility.NONE);
WRITER = mapper.writer(); WRITER = mapper.writerWithDefaultPrettyPrinter();
} }
private HddsProtos.LifeCycleState state; private HddsProtos.LifeCycleState state;

View File

@ -43,10 +43,9 @@ private JsonUtils() {
// Never constructed // Never constructed
} }
public static String toJsonStringWithDefaultPrettyPrinter(String jsonString) public static String toJsonStringWithDefaultPrettyPrinter(Object obj)
throws IOException { throws IOException {
Object json = READER.readValue(jsonString); return WRITTER.writeValueAsString(obj);
return WRITTER.writeValueAsString(json);
} }
public static String toJsonString(Object obj) throws IOException { public static String toJsonString(Object obj) throws IOException {

View File

@ -24,7 +24,6 @@
import org.apache.hadoop.hdds.cli.HddsVersionProvider; import org.apache.hadoop.hdds.cli.HddsVersionProvider;
import org.apache.hadoop.hdds.scm.client.ScmClient; import org.apache.hadoop.hdds.scm.client.ScmClient;
import org.apache.hadoop.hdds.scm.container.ContainerInfo; import org.apache.hadoop.hdds.scm.container.ContainerInfo;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import org.slf4j.Logger; import org.slf4j.Logger;
import org.slf4j.LoggerFactory; import org.slf4j.LoggerFactory;
@ -61,8 +60,7 @@ public class ListSubcommand implements Callable<Void> {
private void outputContainerInfo(ContainerInfo containerInfo) private void outputContainerInfo(ContainerInfo containerInfo)
throws IOException { throws IOException {
// Print container report info. // Print container report info.
LOG.info("{}", JsonUtils.toJsonStringWithDefaultPrettyPrinter( LOG.info("{}", containerInfo.toJsonString());
containerInfo.toJsonString()));
} }
@Override @Override

View File

@ -29,8 +29,7 @@ private ObjectPrinter() {
} }
public static String getObjectAsJson(Object o) throws IOException { public static String getObjectAsJson(Object o) throws IOException {
return JsonUtils.toJsonStringWithDefaultPrettyPrinter( return JsonUtils.toJsonStringWithDefaultPrettyPrinter(o);
JsonUtils.toJsonString(o));
} }
public static void printObjectAsJson(Object o) throws IOException { public static void printObjectAsJson(Object o) throws IOException {

View File

@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler; import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress; import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell; import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine; import picocli.CommandLine;
import picocli.CommandLine.Command; import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters; import picocli.CommandLine.Parameters;
@ -92,8 +91,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().addAcl(obj, boolean result = client.getObjectStore().addAcl(obj,
OzoneAcl.parseAcl(acl)); OzoneAcl.parseAcl(acl));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter( System.out.printf("%s%n", "Acl added successfully: " + result);
JsonUtils.toJsonString("Acl set successfully: " + result)));
client.close(); client.close();
return null; return null;
} }

View File

@ -75,8 +75,8 @@ public Void call() throws Exception {
List<OzoneAcl> result = client.getObjectStore().getAcl(obj); List<OzoneAcl> result = client.getObjectStore().getAcl(obj);
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter( System.out.printf("%s%n",
JsonUtils.toJsonString(result))); JsonUtils.toJsonStringWithDefaultPrettyPrinter(result));
client.close(); client.close();
return null; return null;
} }

View File

@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler; import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress; import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell; import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine; import picocli.CommandLine;
import picocli.CommandLine.Command; import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters; import picocli.CommandLine.Parameters;
@ -68,7 +67,7 @@ public class RemoveAclBucketHandler extends Handler {
*/ */
@Override @Override
public Void call() throws Exception { public Void call() throws Exception {
Objects.requireNonNull(acl, "New acl to be added not specified."); Objects.requireNonNull(acl, "ACL to be removed not specified.");
OzoneAddress address = new OzoneAddress(uri); OzoneAddress address = new OzoneAddress(uri);
address.ensureBucketAddress(); address.ensureBucketAddress();
OzoneClient client = address.createClient(createOzoneConfiguration()); OzoneClient client = address.createClient(createOzoneConfiguration());
@ -92,8 +91,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().removeAcl(obj, boolean result = client.getObjectStore().removeAcl(obj,
OzoneAcl.parseAcl(acl)); OzoneAcl.parseAcl(acl));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter( System.out.printf("%s%n", "Acl removed successfully: " + result);
JsonUtils.toJsonString("Acl removed successfully: " + result)));
client.close(); client.close();
return null; return null;
} }

View File

@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler; import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress; import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell; import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine; import picocli.CommandLine;
import picocli.CommandLine.Command; import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters; import picocli.CommandLine.Parameters;
@ -92,8 +91,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().setAcl(obj, boolean result = client.getObjectStore().setAcl(obj,
OzoneAcl.parseAcls(acls)); OzoneAcl.parseAcls(acls));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter( System.out.printf("%s%n", "Acl set successfully: " + result);
JsonUtils.toJsonString("Acl set successfully: " + result)));
client.close(); client.close();
return null; return null;
} }

View File

@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler; import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress; import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell; import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine; import picocli.CommandLine;
import picocli.CommandLine.Command; import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters; import picocli.CommandLine.Parameters;
@ -95,8 +94,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().addAcl(obj, boolean result = client.getObjectStore().addAcl(obj,
OzoneAcl.parseAcl(acl)); OzoneAcl.parseAcl(acl));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter( System.out.printf("%s%n", "Acl added successfully: " + result);
JsonUtils.toJsonString("Acl set successfully: " + result)));
client.close(); client.close();
return null; return null;
} }

View File

@ -78,8 +78,8 @@ public Void call() throws Exception {
List<OzoneAcl> result = client.getObjectStore().getAcl(obj); List<OzoneAcl> result = client.getObjectStore().getAcl(obj);
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter( System.out.printf("%s%n",
JsonUtils.toJsonString(result))); JsonUtils.toJsonStringWithDefaultPrettyPrinter(result));
client.close(); client.close();
return null; return null;
} }

View File

@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler; import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress; import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell; import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine; import picocli.CommandLine;
import picocli.CommandLine.Command; import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters; import picocli.CommandLine.Parameters;
@ -68,7 +67,7 @@ public class RemoveAclKeyHandler extends Handler {
*/ */
@Override @Override
public Void call() throws Exception { public Void call() throws Exception {
Objects.requireNonNull(acl, "New acl to be added not specified."); Objects.requireNonNull(acl, "ACL to be removed not specified.");
OzoneAddress address = new OzoneAddress(uri); OzoneAddress address = new OzoneAddress(uri);
address.ensureKeyAddress(); address.ensureKeyAddress();
OzoneClient client = address.createClient(createOzoneConfiguration()); OzoneClient client = address.createClient(createOzoneConfiguration());
@ -95,8 +94,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().removeAcl(obj, boolean result = client.getObjectStore().removeAcl(obj,
OzoneAcl.parseAcl(acl)); OzoneAcl.parseAcl(acl));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter( System.out.printf("%s%n", "Acl removed successfully: " + result);
JsonUtils.toJsonString("Acl set successfully: " + result)));
client.close(); client.close();
return null; return null;
} }

View File

@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler; import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress; import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell; import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine; import picocli.CommandLine;
import picocli.CommandLine.Command; import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters; import picocli.CommandLine.Parameters;
@ -94,8 +93,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().setAcl(obj, boolean result = client.getObjectStore().setAcl(obj,
OzoneAcl.parseAcls(acls)); OzoneAcl.parseAcls(acls));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter( System.out.printf("%s%n", "Acl set successfully: " + result);
JsonUtils.toJsonString("Acl set successfully: " + result)));
client.close(); client.close();
return null; return null;
} }

View File

@ -71,7 +71,7 @@ public Void call() throws Exception {
} }
System.out.printf("%s", JsonUtils.toJsonStringWithDefaultPrettyPrinter( System.out.printf("%s", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString(token.encodeToUrlString()))); token.encodeToUrlString()));
return null; return null;
} }
} }

View File

@ -65,7 +65,7 @@ public Void call() throws Exception {
token.decodeFromUrlString(encodedToken); token.decodeFromUrlString(encodedToken);
System.out.printf("%s", JsonUtils.toJsonStringWithDefaultPrettyPrinter( System.out.printf("%s", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString(token.toString()))); token.toString()));
return null; return null;
} }
} }

View File

@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler; import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress; import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell; import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine; import picocli.CommandLine;
import picocli.CommandLine.Command; import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters; import picocli.CommandLine.Parameters;
@ -89,8 +88,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().addAcl(obj, boolean result = client.getObjectStore().addAcl(obj,
OzoneAcl.parseAcl(acl)); OzoneAcl.parseAcl(acl));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter( System.out.printf("%s%n", "Acl added successfully: " + result);
JsonUtils.toJsonString("Acl set successfully: " + result)));
client.close(); client.close();
return null; return null;
} }

View File

@ -69,8 +69,8 @@ public Void call() throws Exception {
OzoneObj.StoreType.valueOf(storeType)) OzoneObj.StoreType.valueOf(storeType))
.build(); .build();
List<OzoneAcl> result = client.getObjectStore().getAcl(obj); List<OzoneAcl> result = client.getObjectStore().getAcl(obj);
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter( System.out.printf("%s%n",
JsonUtils.toJsonString(result))); JsonUtils.toJsonStringWithDefaultPrettyPrinter(result));
client.close(); client.close();
return null; return null;
} }

View File

@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler; import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress; import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell; import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine; import picocli.CommandLine;
import picocli.CommandLine.Command; import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters; import picocli.CommandLine.Parameters;
@ -68,7 +67,7 @@ public class RemoveAclVolumeHandler extends Handler {
*/ */
@Override @Override
public Void call() throws Exception { public Void call() throws Exception {
Objects.requireNonNull(acl, "New acl to be added not specified."); Objects.requireNonNull(acl, "ACL to be removed not specified.");
OzoneAddress address = new OzoneAddress(uri); OzoneAddress address = new OzoneAddress(uri);
address.ensureVolumeAddress(); address.ensureVolumeAddress();
OzoneClient client = address.createClient(createOzoneConfiguration()); OzoneClient client = address.createClient(createOzoneConfiguration());
@ -89,8 +88,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().removeAcl(obj, boolean result = client.getObjectStore().removeAcl(obj,
OzoneAcl.parseAcl(acl)); OzoneAcl.parseAcl(acl));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter( System.out.printf("%s%n", "Acl removed successfully: " + result);
JsonUtils.toJsonString("Acl removed successfully: " + result)));
client.close(); client.close();
return null; return null;
} }

View File

@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler; import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress; import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell; import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine; import picocli.CommandLine;
import picocli.CommandLine.Command; import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters; import picocli.CommandLine.Parameters;
@ -92,8 +91,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().setAcl(obj, boolean result = client.getObjectStore().setAcl(obj,
OzoneAcl.parseAcls(acls)); OzoneAcl.parseAcls(acls));
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter( System.out.printf("%s%n", "Acl set successfully: " + result);
JsonUtils.toJsonString("Acl set successfully: " + result)));
client.close(); client.close();
return null; return null;
} }