diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HostRestrictingAuthorizationFilter.java b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HostRestrictingAuthorizationFilter.java index 1a51b46e58..e9f1cf09e8 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HostRestrictingAuthorizationFilter.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/main/java/org/apache/hadoop/hdfs/server/common/HostRestrictingAuthorizationFilter.java @@ -229,9 +229,14 @@ public void handleInteraction(HttpInteraction interaction) throws IOException, ServletException { final String address = interaction.getRemoteAddr(); final String query = interaction.getQueryString(); - final String path = - interaction.getRequestURI() - .substring(WebHdfsFileSystem.PATH_PREFIX.length()); + final String uri = interaction.getRequestURI(); + if (!uri.startsWith(WebHdfsFileSystem.PATH_PREFIX)) { + LOG.trace("Rejecting interaction; wrong URI: {}", uri); + interaction.sendError(HttpServletResponse.SC_NOT_FOUND, + "The request URI must start with " + WebHdfsFileSystem.PATH_PREFIX); + return; + } + final String path = uri.substring(WebHdfsFileSystem.PATH_PREFIX.length()); String user = interaction.getRemoteUser(); LOG.trace("Got request user: {}, remoteIp: {}, query: {}, path: {}", diff --git a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/common/TestHostRestrictingAuthorizationFilter.java b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/common/TestHostRestrictingAuthorizationFilter.java index bd78a50da9..34bc616e54 100644 --- a/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/common/TestHostRestrictingAuthorizationFilter.java +++ b/hadoop-hdfs-project/hadoop-hdfs/src/test/java/org/apache/hadoop/hdfs/server/common/TestHostRestrictingAuthorizationFilter.java @@ -243,6 +243,31 @@ public void doFilter(ServletRequest servletRequest, filter.destroy(); } + /** + * Test acceptable behavior to malformed requests + * Case: the request URI does not start with "/webhdfs/v1" + */ + @Test + public void testInvalidURI() throws Exception { + HttpServletRequest request = Mockito.mock(HttpServletRequest.class); + Mockito.when(request.getMethod()).thenReturn("GET"); + Mockito.when(request.getRequestURI()).thenReturn("/InvalidURI"); + HttpServletResponse response = Mockito.mock(HttpServletResponse.class); + + Filter filter = new HostRestrictingAuthorizationFilter(); + HashMap configs = new HashMap() {}; + configs.put(AuthenticationFilter.AUTH_TYPE, "simple"); + FilterConfig fc = new DummyFilterConfig(configs); + + filter.init(fc); + filter.doFilter(request, response, + (servletRequest, servletResponse) -> {}); + Mockito.verify(response, Mockito.times(1)) + .sendError(Mockito.eq(HttpServletResponse.SC_NOT_FOUND), + Mockito.anyString()); + filter.destroy(); + } + private static class DummyFilterConfig implements FilterConfig { final Map map;