Fixing cross origin bug for rest calls that allow a malicious user to issue requests from a site other than the zeppelin server.

djoelz-tssr · djoelz-tssr · commit 3d6ce2eebfcd · 2015-08-20T11:31:28.000-07:00
Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework).
Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies.
diff --git a/zeppelin-server/src/test/java/org/apache/zeppelin/security/SecurityUtilsTests.java b/zeppelin-server/src/test/java/org/apache/zeppelin/security/SecurityUtilsTests.java
@@ -29,6 +29,18 @@
  * Created by joelz on 8/19/15.
  */
 public class SecurityUtilsTests {
+    @Test
+    public void isInvalid() throws URISyntaxException, UnknownHostException {
+        Assert.assertFalse(SecurityUtils.isValidOrigin("http://127.0.1.1", ZeppelinConfiguration.create()));
+    }
+
+    @Test
+    public void isInvalidFromConfig() throws URISyntaxException, UnknownHostException, ConfigurationException {
+        Assert.assertFalse(
+                SecurityUtils.isValidOrigin("http://otherinvalidhost.com",
+                        new ZeppelinConfiguration(this.getClass().getResource("/zeppelin-site.xml"))));
+    }
+
     @Test
     public void isLocalhost() throws URISyntaxException, UnknownHostException {
         Assert.assertTrue(SecurityUtils.isValidOrigin("http://localhost", ZeppelinConfiguration.create()));
diff --git a/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java b/zeppelin-zengine/src/main/java/org/apache/zeppelin/conf/ZeppelinConfiguration.java
@@ -427,7 +427,7 @@ public static enum ConfVars {
     ZEPPELIN_CONF_DIR("zeppelin.conf.dir", "conf"),
     // Allows a way to specify a ',' separated list of allowed origins for rest and websockets
     // i.e. http://localhost:8080
-    ZEPPELIN_ALLOWED_ORIGINS("zeppelin.server.allowed.origins", "");
+    ZEPPELIN_ALLOWED_ORIGINS("zeppelin.server.allowed.origins", "*");
 
     private String varName;
     @SuppressWarnings("rawtypes")
