Skip to content

Commit b2b418a

Browse files
djoelz-tssrdjoelz-tssr
committed
Fixing cross origin bug for rest calls that allow a malicious user to issue requests from a site other than the zeppelin server.
Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework). Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies.
1 parent 4ae9129 commit b2b418a

File tree

2 files changed

+26
-1
lines changed

2 files changed

+26
-1
lines changed

zeppelin-server/src/main/java/org/apache/zeppelin/utils/SecurityUtils.java

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,11 @@
2828
public class SecurityUtils {
2929
public static Boolean isValidOrigin(String sourceHost, ZeppelinConfiguration conf)
3030
throws UnknownHostException, URISyntaxException {
31-
URI sourceHostUri = new URI(sourceHost.toLowerCase());
31+
if(sourceHost == null){
32+
return false;
33+
}
34+
35+
URI sourceHostUri = new URI(sourceHost);
3236
String currentHost = java.net.InetAddress.getLocalHost().getHostName().toLowerCase();
3337
if (currentHost.equals(sourceHostUri.getHost()) ||
3438
"localhost".equals(sourceHostUri.getHost()) ||

zeppelin-server/src/test/java/org/apache/zeppelin/security/SecurityUtilsTests.java

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,4 +66,25 @@ public void isValidFromStar() throws URISyntaxException, UnknownHostException, C
6666
SecurityUtils.isValidOrigin("http://anyhost.com",
6767
new ZeppelinConfiguration(this.getClass().getResource("/zeppelin-site-star.xml"))));
6868
}
69+
70+
@Test
71+
public void nullOrigin() throws URISyntaxException, UnknownHostException, ConfigurationException {
72+
Assert.assertFalse(
73+
SecurityUtils.isValidOrigin(null,
74+
new ZeppelinConfiguration(this.getClass().getResource("/zeppelin-site.xml"))));
75+
}
76+
77+
@Test
78+
public void emptyOrigin() throws URISyntaxException, UnknownHostException, ConfigurationException {
79+
Assert.assertFalse(
80+
SecurityUtils.isValidOrigin("",
81+
new ZeppelinConfiguration(this.getClass().getResource("/zeppelin-site.xml"))));
82+
}
83+
84+
@Test
85+
public void notAURIOrigin() throws URISyntaxException, UnknownHostException, ConfigurationException {
86+
Assert.assertFalse(
87+
SecurityUtils.isValidOrigin("test123",
88+
new ZeppelinConfiguration(this.getClass().getResource("/zeppelin-site.xml"))));
89+
}
6990
}

0 commit comments

Comments
 (0)