[YARN-10336] RM page should throw exception when command injected in RM REST API to get applications - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.4.0, 3.3.1
Fix Version/s: 3.4.0, 3.3.1
Component/s: webapp
Labels:
None

Target Version/s:

3.4.0, 3.3.1
Hadoop Flags:

Reviewed

Description

Using a web application attacking, we see that injecting commands like ACCEPTED, FAILED and FINISHED to RM REST API does not throw an exception. Refer images.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

YARN-10336.003.patch
11/Aug/20 17:24
5 kB
Bilwa S T
YARN-10336.002.patch
11/Aug/20 14:16
4 kB
Bilwa S T
testproof.png
31/Jul/20 07:56
130 kB
Bilwa S T
YARN-10336.001.patch
31/Jul/20 07:51
1 kB
Bilwa S T
RM_UI.jpg
02/Jul/20 06:57
86 kB
Rajshree Mishra
CommandInject.jpg
02/Jul/20 06:57
48 kB
Rajshree Mishra

Activity

People

Assignee:: Bilwa S T

Reporter:: Rajshree Mishra

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 02/Jul/20 07:08

Updated:: 11/Feb/24 12:58

Resolved:: 13/Aug/20 18:19