Skip to content

HDDS-2158. Fixing Json Injection Issue in JsonUtils. #1486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Oct 4, 2019
Merged

HDDS-2158. Fixing Json Injection Issue in JsonUtils. #1486

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c0c210b
Fixing Json Injection Issue in JsonUtils
hanishakoneru Sep 20, 2019
28f5c2f
Fixing checkstyle
hanishakoneru Sep 24, 2019
8f26d1f
Fixing unit test failure
hanishakoneru Sep 24, 2019
74a5248
Reworded print statements
hanishakoneru Oct 1, 2019
4502735
removing unused imports
hanishakoneru Oct 4, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion hadoop-hdds/common/src/main/java/org/apache/hadoop/hdds/scm/container/ContainerInfo.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ public class ContainerInfo implements Comparator<ContainerInfo>,
mapper.setVisibility(PropertyAccessor.FIELD, JsonAutoDetect.Visibility.ANY);
mapper
.setVisibility(PropertyAccessor.GETTER, JsonAutoDetect.Visibility.NONE);
WRITER = mapper.writer();
WRITER = mapper.writerWithDefaultPrettyPrinter();
}

private HddsProtos.LifeCycleState state;
Expand Down
5 changes: 2 additions & 3 deletions hadoop-hdds/common/src/main/java/org/apache/hadoop/ozone/web/utils/JsonUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,10 +43,9 @@ private JsonUtils() {
// Never constructed
}

public static String toJsonStringWithDefaultPrettyPrinter(String jsonString)
public static String toJsonStringWithDefaultPrettyPrinter(Object obj)
throws IOException {
Object json = READER.readValue(jsonString);
return WRITTER.writeValueAsString(json);
return WRITTER.writeValueAsString(obj);
}

public static String toJsonString(Object obj) throws IOException {
Expand Down
4 changes: 1 addition & 3 deletions hadoop-hdds/tools/src/main/java/org/apache/hadoop/hdds/scm/cli/container/ListSubcommand.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,6 @@
import org.apache.hadoop.hdds.scm.cli.SCMCLI;
import org.apache.hadoop.hdds.scm.client.ScmClient;
import org.apache.hadoop.hdds.scm.container.ContainerInfo;
import org.apache.hadoop.ozone.web.utils.JsonUtils;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
Expand Down Expand Up @@ -62,8 +61,7 @@ public class ListSubcommand implements Callable<Void> {
private void outputContainerInfo(ContainerInfo containerInfo)
throws IOException {
// Print container report info.
LOG.info("{}", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
containerInfo.toJsonString()));
LOG.info("{}", containerInfo.toJsonString());
}

@Override
Expand Down
3 changes: 1 addition & 2 deletions ...-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/ObjectPrinter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,7 @@ private ObjectPrinter() {
}

public static String getObjectAsJson(Object o) throws IOException {
return JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString(o));
return JsonUtils.toJsonStringWithDefaultPrettyPrinter(o);
}

public static void printObjectAsJson(Object o) throws IOException {
Expand Down
5 changes: 2 additions & 3 deletions ...manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/bucket/AddAclBucketHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
Expand Down Expand Up @@ -92,8 +91,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().addAcl(obj,
OzoneAcl.parseAcl(acl));

System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl set successfully: " + result)));
System.out.printf("%s%n", "Acl added successfully: " + result);

client.close();
return null;
}
Expand Down
4 changes: 2 additions & 2 deletions ...manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/bucket/GetAclBucketHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,8 @@ public Void call() throws Exception {

List<OzoneAcl> result = client.getObjectStore().getAcl(obj);

System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString(result)));
System.out.printf("%s%n",
JsonUtils.toJsonStringWithDefaultPrettyPrinter(result));
client.close();
return null;
}
Expand Down
7 changes: 3 additions & 4 deletions ...ager/src/main/java/org/apache/hadoop/ozone/web/ozShell/bucket/RemoveAclBucketHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
Expand Down Expand Up @@ -68,7 +67,7 @@ public class RemoveAclBucketHandler extends Handler {
*/
@Override
public Void call() throws Exception {
Objects.requireNonNull(acl, "New acl to be added not specified.");
Objects.requireNonNull(acl, "ACL to be removed not specified.");
OzoneAddress address = new OzoneAddress(uri);
address.ensureBucketAddress();
OzoneClient client = address.createClient(createOzoneConfiguration());
Expand All @@ -92,8 +91,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().removeAcl(obj,
OzoneAcl.parseAcl(acl));

System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl removed successfully: " + result)));
System.out.printf("%s%n", "Acl removed successfully: " + result);

client.close();
return null;
}
Expand Down
5 changes: 2 additions & 3 deletions ...manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/bucket/SetAclBucketHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
Expand Down Expand Up @@ -92,8 +91,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().setAcl(obj,
OzoneAcl.parseAcls(acls));

System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl set successfully: " + result)));
System.out.printf("%s%n", "Acl set successfully: " + result);

client.close();
return null;
}
Expand Down
5 changes: 2 additions & 3 deletions ...zone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/keys/AddAclKeyHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
Expand Down Expand Up @@ -95,8 +94,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().addAcl(obj,
OzoneAcl.parseAcl(acl));

System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl set successfully: " + result)));
System.out.printf("%s%n", "Acl added successfully: " + result);

client.close();
return null;
}
Expand Down
4 changes: 2 additions & 2 deletions ...zone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/keys/GetAclKeyHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,8 +78,8 @@ public Void call() throws Exception {

List<OzoneAcl> result = client.getObjectStore().getAcl(obj);

System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString(result)));
System.out.printf("%s%n",
JsonUtils.toJsonStringWithDefaultPrettyPrinter(result));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this need to be fixed?

Copy link
Contributor

@bharatviswa504 bharatviswa504 Oct 1, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be fine, as we are not converting to String and printing. (Same for others too)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't that what toJsonStringWithDefaultPrettyPrinter does - i.e. convert to string. Then we print it out.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, toJsonStringWithDefaultPrettyPrinter converts to string but in Json format (with proper indentations and new line for each element).
Previously, we were converting the object to be printed to string (using JsonUtils.toJsonString(result)), then converting it back into object (inside old toJsonStringWithDefaultPrettyPrinter()) and then again converting it into string.

//Old code
public static String toJsonStringWithDefaultPrettyPrinter(String jsonString)
      throws IOException {
    Object json = READER.readValue(jsonString);
    return WRITTER.writeValueAsString(json);
  }

The Json Injection issue happens when converting the jsonString back to Object without validation.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the clarification.

client.close();
return null;
}
Expand Down
7 changes: 3 additions & 4 deletions ...e-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/keys/RemoveAclKeyHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
Expand Down Expand Up @@ -68,7 +67,7 @@ public class RemoveAclKeyHandler extends Handler {
*/
@Override
public Void call() throws Exception {
Objects.requireNonNull(acl, "New acl to be added not specified.");
Objects.requireNonNull(acl, "ACL to be removed not specified.");
OzoneAddress address = new OzoneAddress(uri);
address.ensureKeyAddress();
OzoneClient client = address.createClient(createOzoneConfiguration());
Expand All @@ -95,8 +94,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().removeAcl(obj,
OzoneAcl.parseAcl(acl));

System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl set successfully: " + result)));
System.out.printf("%s%n", "Acl removed successfully: " + result);

client.close();
return null;
}
Expand Down
5 changes: 2 additions & 3 deletions ...zone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/keys/SetAclKeyHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
Expand Down Expand Up @@ -94,8 +93,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().setAcl(obj,
OzoneAcl.parseAcls(acls));

System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl set successfully: " + result)));
System.out.printf("%s%n", "Acl set successfully: " + result);

client.close();
return null;
}
Expand Down
2 changes: 1 addition & 1 deletion ...zone-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/token/GetTokenHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ public Void call() throws Exception {
}

System.out.printf("%s", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString(token.encodeToUrlString())));
token.encodeToUrlString()));
return null;
}
}
2 changes: 1 addition & 1 deletion ...ne-manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/token/PrintTokenHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,7 @@ public Void call() throws Exception {
token.decodeFromUrlString(encodedToken);

System.out.printf("%s", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString(token.toString())));
token.toString()));
return null;
}
}
5 changes: 2 additions & 3 deletions ...manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/volume/AddAclVolumeHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
Expand Down Expand Up @@ -89,8 +88,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().addAcl(obj,
OzoneAcl.parseAcl(acl));

System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl set successfully: " + result)));
System.out.printf("%s%n", "Acl added successfully: " + result);

client.close();
return null;
}
Expand Down
4 changes: 2 additions & 2 deletions ...manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/volume/GetAclVolumeHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,8 +69,8 @@ public Void call() throws Exception {
OzoneObj.StoreType.valueOf(storeType))
.build();
List<OzoneAcl> result = client.getObjectStore().getAcl(obj);
System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString(result)));
System.out.printf("%s%n",
JsonUtils.toJsonStringWithDefaultPrettyPrinter(result));
client.close();
return null;
}
Expand Down
7 changes: 3 additions & 4 deletions ...ager/src/main/java/org/apache/hadoop/ozone/web/ozShell/volume/RemoveAclVolumeHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
Expand Down Expand Up @@ -68,7 +67,7 @@ public class RemoveAclVolumeHandler extends Handler {
*/
@Override
public Void call() throws Exception {
Objects.requireNonNull(acl, "New acl to be added not specified.");
Objects.requireNonNull(acl, "ACL to be removed not specified.");
OzoneAddress address = new OzoneAddress(uri);
address.ensureVolumeAddress();
OzoneClient client = address.createClient(createOzoneConfiguration());
Expand All @@ -89,8 +88,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().removeAcl(obj,
OzoneAcl.parseAcl(acl));

System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl removed successfully: " + result)));
System.out.printf("%s%n", "Acl removed successfully: " + result);

client.close();
return null;
}
Expand Down
5 changes: 2 additions & 3 deletions ...manager/src/main/java/org/apache/hadoop/ozone/web/ozShell/volume/SetAclVolumeHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@
import org.apache.hadoop.ozone.web.ozShell.Handler;
import org.apache.hadoop.ozone.web.ozShell.OzoneAddress;
import org.apache.hadoop.ozone.web.ozShell.Shell;
import org.apache.hadoop.ozone.web.utils.JsonUtils;
import picocli.CommandLine;
import picocli.CommandLine.Command;
import picocli.CommandLine.Parameters;
Expand Down Expand Up @@ -92,8 +91,8 @@ public Void call() throws Exception {
boolean result = client.getObjectStore().setAcl(obj,
OzoneAcl.parseAcls(acls));

System.out.printf("%s%n", JsonUtils.toJsonStringWithDefaultPrettyPrinter(
JsonUtils.toJsonString("Acl set successfully: " + result)));
System.out.printf("%s%n", "Acl set successfully: " + result);

client.close();
return null;
}
Expand Down