From e32e1384d961078e520870c30725c461c0b9233c Mon Sep 17 00:00:00 2001 From: Akira Ajisaka Date: Sun, 3 May 2020 05:02:27 +0900 Subject: [PATCH] HDFS-15320. StringIndexOutOfBoundsException in HostRestrictingAuthorizationFilter (#1992) Signed-off-by: Mingliang Liu --- .../HostRestrictingAuthorizationFilter.java | 11 +++++--- ...estHostRestrictingAuthorizationFilter.java | 25 +++++++++++++++++++ 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HostRestrictingAuthorizationFilter.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HostRestrictingAuthorizationFilter.java index 1a51b46e58..e9f1cf09e8 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HostRestrictingAuthorizationFilter.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HostRestrictingAuthorizationFilter.java @@ -229,9 +229,14 @@ public void handleInteraction(HttpInteraction interaction) throws IOException, ServletException { final String address = interaction.getRemoteAddr(); final String query = interaction.getQueryString(); - final String path = - interaction.getRequestURI() - .substring(WebHdfsFileSystem.PATH_PREFIX.length()); + final String uri = interaction.getRequestURI(); + if (!uri.startsWith(WebHdfsFileSystem.PATH_PREFIX)) { + LOG.trace("Rejecting interaction; wrong URI: {}", uri); + interaction.sendError(HttpServletResponse.SC_NOT_FOUND, + "The request URI must start with " + WebHdfsFileSystem.PATH_PREFIX); + return; + } + final String path = uri.substring(WebHdfsFileSystem.PATH_PREFIX.length()); String user = interaction.getRemoteUser(); LOG.trace("Got request user: {}, remoteIp: {}, query: {}, path: {}", diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/common/TestHostRestrictingAuthorizationFilter.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/common/TestHostRestrictingAuthorizationFilter.java index bd78a50da9..34bc616e54 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/common/TestHostRestrictingAuthorizationFilter.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/common/TestHostRestrictingAuthorizationFilter.java @@ -243,6 +243,31 @@ public void doFilter(ServletRequest servletRequest, filter.destroy(); } + /** + * Test acceptable behavior to malformed requests + * Case: the request URI does not start with "/webhdfs/v1" + */ + @Test + public void testInvalidURI() throws Exception { + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + Mockito.when(request.getMethod()).thenReturn("GET"); + Mockito.when(request.getRequestURI()).thenReturn("/InvalidURI"); + HttpServletResponse response = Mockito.mock(HttpServletResponse.class); + + Filter filter = new HostRestrictingAuthorizationFilter(); + HashMap configs = new HashMap() {}; + configs.put(AuthenticationFilter.AUTH_TYPE, "simple"); + FilterConfig fc = new DummyFilterConfig(configs); + + filter.init(fc); + filter.doFilter(request, response, + (servletRequest, servletResponse) -> {}); + Mockito.verify(response, Mockito.times(1)) + .sendError(Mockito.eq(HttpServletResponse.SC_NOT_FOUND), + Mockito.anyString()); + filter.destroy(); + } + private static class DummyFilterConfig implements FilterConfig { final Map map;