Fixing issue with ZEPPELIN-173: Zeppelin websocket server is vulnerab… #205
Conversation
…le to Cross-Site WebSocket Hijacking
There was a problem hiding this comment.
Could you explain little bit, why this if condition can be removed??
There was a problem hiding this comment.
I think it's a merge issue as I did not remove it. Let me double check
There was a problem hiding this comment.
Fixing in the next commit. Please review when you have time.
|
Tested and working nicely. Thanks for the contribution! |
…le to Cross-Site WebSocket Hijacking
|
I have fixed the merge issues and recommitted. Ready for your review. Thanks, From: Lee moon soo [email protected] Tested and working nicely. Thanks for the contribution! — |
|
Thanks, LGTM. |
|
Great! Next step is to merge? Who does this? |
|
Next step is, getting more review and votes, or waiting for enough time to have discussions and consensus (which is normally take a day at least). Then it's going to be merged. |
|
Not sure if it's best to comment here, or open a new issue, but java.net.InetAddress.getLocalHost().getHostName();isn't going to return all possible addresses which a node might reasonably be listening on. For instance, on an EC2 node, this will return the private IP, but if you want to connect to that node from outside of Amazon's network, that address won't be visible, where as the public address will. I think there needs to at least be the option of setting an alternative value in config. |
|
We got a similar problem, can't complete websocket handshake in some instalations since this commit |
|
@philwills @corneadoug Right, i'll create a patch, soon. Thanks! |
|
@Leemoonsoo can I suggest alternativeallowedsource as the configuration name? Also this will be used for my other pull request that affects REST endpoints as well. I could implement it also if you want. have you started already? |
|
@djoelz If you can implement, that would be really appreciated! |
|
@Leemoonsoo @jonbuffington is already doing the work. I will work closely with Jon to wrap this up. Thanks Jon! |
|
I have a fix for this. Will create the PR soon |
|
Looking forward to this fix, I am unable to run Zeppelin in AWS. On my local machine, I don't have web-socket issue. |
|
@djoelz I also pushed a fix. @djoelz, @jitenderaswani please review #233. |
Fixing the socket cross-origin vulnerability as described in the Jira. Overwrote the checkOrigin in the WebSocketServlet class implemented by NotebookServer so that a list of all seen socket Get requests are kept and only Upgrade requests from the same origin will be accepted. Otherwise unauthorized will be returned. Included basic unit tests. Author: joelz <[email protected]> Author: djoelz <[email protected]> Closes apache#205 from djoelz/master and squashes the following commits: 08ff369 [djoelz] unecessary file 013f22d [joelz] Fixing issue with ZEPPELIN-173: Zeppelin websocket server is vulnerable to Cross-Site WebSocket Hijacking ea54b55 [joelz] Fixing issue with ZEPPELIN-173: Zeppelin websocket server is vulnerable to Cross-Site WebSocket Hijacking (cherry picked from commit d5ab911) Signed-off-by: Lee moon soo <[email protected]>
Refactor updating notebook
5 participants
Fixing the socket cross-origin vulnerability as described in the Jira. Overwrote the checkOrigin in the WebSocketServlet class implemented by NotebookServer so that a list of all seen socket Get requests are kept and only Upgrade requests from the same origin will be accepted. Otherwise unauthorized will be returned.
Included basic unit tests.