Configurable Origins and small configuration fixes#235
Closed
djoelz wants to merge 24 commits intoapache:masterfrom
djoelz:master
Closed
Configurable Origins and small configuration fixes#235djoelz wants to merge 24 commits intoapache:masterfrom djoelz:master
djoelz wants to merge 24 commits intoapache:masterfrom
djoelz:master
Conversation
…le to Cross-Site WebSocket Hijacking
…le to Cross-Site WebSocket Hijacking
…se Mockito (unit test framework) and forces the servlet to use version 3.0 instead of 2.5
… issue requests from a site other than the zeppelin server. Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework). Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies.
… issue requests from a site other than the zeppelin server. Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework). Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies.
Merging from Master
… issue requests from a site other than the zeppelin server. Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework). Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies.
Closed
…into apache-master Conflicts: zeppelin-server/src/main/java/org/apache/zeppelin/socket/NotebookServer.java zeppelin-server/src/test/java/org/apache/zeppelin/socket/NotebookServerTests.java zeppelin-server/src/test/java/org/apache/zeppelin/socket/TestHttpServletRequest.java test
Conflicts: zeppelin-server/src/main/java/org/apache/zeppelin/server/CorsFilter.java zeppelin-server/src/test/java/org/apache/zeppelin/socket/NotebookServerTests.java
… issue requests from a site other than the zeppelin server. Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework). Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies.
… issue requests from a site other than the zeppelin server. Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework). Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies.
… issue requests from a site other than the zeppelin server. Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework). Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies.
… issue requests from a site other than the zeppelin server. Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework). Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies.
… issue requests from a site other than the zeppelin server. Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework). Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies.
Member
|
Thanks for the fix! Tested and Looks good to me. |
Contributor
There was a problem hiding this comment.
Do these tests run using the mvn test goal? I think the test class names should not be pluralized (e.g., SecurityUtilsTests -> SecurityUtilsTest). I may be wrong.
Author
There was a problem hiding this comment.
You know more than me on this one. I can go and rename all my tests if this is true. Let me look at the build log to see if they ran.
Author
There was a problem hiding this comment.
I will just rename to be consistent
Contributor
|
@djoelz Thanks for adding the origin names a configuration option. Much appreciated. |
…value and hence the configuration is present.
Member
|
Thanks @djoelz. I'm merging it. |
Leemoonsoo
pushed a commit
to Leemoonsoo/zeppelin
that referenced
this pull request
Sep 17, 2015
This makes it configurable to specify multiple origins as allowed (default only local origin is allowed). Wildcard origin will not be supported as it is a security vulnerability. It adds a compatibility check in configuration for windows paths. Upgrades servlet config to add httponly and secure which will secure session cookies if used. Author: joelz <[email protected]> Author: djoelz <[email protected]> Closes apache#235 from djoelz/master and squashes the following commits: 989f1e0 [joelz] Retrying build as it seems ZeppelinIT failed for not reason. 625b54e [joelz] Fixing unit test that reads from a file but initializes to a default value and hence the configuration is present. e9d8384 [joelz] Retrying due to git download issue with build 2887f0d [joelz] Renaming tests to singular name so plugin can detect and run 9260d5d [joelz] Fixing adding the origin header for get and post tests. b7bb7bf [joelz] Fixing Styling b2b418a [joelz] Fixing cross origin bug for rest calls that allow a malicious user to issue requests from a site other than the zeppelin server. Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework). Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies. 4ae9129 [joelz] Fixing null reference 3795de7 [joelz] Fixing cross origin bug for rest calls that allow a malicious user to issue requests from a site other than the zeppelin server. Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework). Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies. bcb1ac1 [joelz] Fixing cross origin bug for rest calls that allow a malicious user to issue requests from a site other than the zeppelin server. Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework). Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies. 3d6ce2e [joelz] Fixing cross origin bug for rest calls that allow a malicious user to issue requests from a site other than the zeppelin server. Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework). Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies. 1f851c0 [joelz] Fixing cross origin bug for rest calls that allow a malicious user to issue requests from a site other than the zeppelin server. Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework). Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies. 7ecf7e9 [joelz] Merge branch 'master' of https://github.com/djoelz/incubator-zeppelin faa6204 [joelz] Merge branch 'apache-master' 52eb1bd [joelz] Merge branch 'master' of https://github.com/apache/incubator-zeppelin into apache-master 5ff1a47 [joelz] Merge branch 'masterOrigin' 47902a6 [joelz] Fixing cross origin bug for rest calls that allow a malicious user to issue requests from a site other than the zeppelin server. Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework). Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies. a00adc2 [djoelz] Merge pull request #1 from apache/master df324de [joelz] Fixing cross origin bug for rest calls that allow a malicious user to issue requests from a site other than the zeppelin server. Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework). Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies. cecbab8 [joelz] Fixing cross origin bug for rest calls that allow a malicious user to issue requests from a site other than the zeppelin server. Adding unit tests and a dependency to mockito to the server project (please comment if that is ok or if there is another preferred mocking framework). Also upgrading the servelet version from 2.5 to 3.0 as this also fixes a security vulnerability with respect to httonly cookies. 61e857d [joelz] Fixing Rest request lack of Origin validation bug, Added tests that use Mockito (unit test framework) and forces the servlet to use version 3.0 instead of 2.5 08ff369 [djoelz] unecessary file 013f22d [joelz] Fixing issue with ZEPPELIN-173: Zeppelin websocket server is vulnerable to Cross-Site WebSocket Hijacking ea54b55 [joelz] Fixing issue with ZEPPELIN-173: Zeppelin websocket server is vulnerable to Cross-Site WebSocket Hijacking (cherry picked from commit 703b47f) Signed-off-by: Lee moon soo <[email protected]>
lelou6666
pushed a commit
to lelou6666/incubator-zeppelin
that referenced
this pull request
Mar 25, 2016
Bind/Unbind interpreters to note
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This makes it configurable to specify multiple origins as allowed (default only local origin is allowed). Wildcard origin will not be supported as it is a security vulnerability.
It adds a compatibility check in configuration for windows paths.
Upgrades servlet config to add httponly and secure which will secure session cookies if used.