[MINOR] Tighten origin and content-type handling in REST/WebSocket layer#5251
Merged
Merged
Conversation
## What is this PR for? Apply stricter defaults to the request-handling layer for tighter out-of-the-box behavior: - `CorsFilter` blocks state-changing methods (POST/PUT/DELETE/PATCH) and cross-origin preflight requests when the `Origin` header is not in the configured allow-list. `Access-Control-Allow-Credentials` is only sent when the `Origin` is allowed. - The default value of `zeppelin.server.allowed.origins` changes from `*` to empty so cross-origin browser access must be explicitly enabled. **Operators relying on the previous default need to set this back to `*` or to specific origin(s).** Same-origin / same-host and non-browser clients are unaffected. - A new Jersey request filter restricts REST request bodies on state-changing methods to `application/json`, `application/x-www-form-urlencoded`, or `multipart/form-data`; other media types are rejected with `415`. - The default `shiro.ini.template` now sets `cookie.sameSite = LAX`. - `ZeppelinClient.addParagraph` and `updateParagraph` now send an explicit `Content-Type: application/json` header so they pass the new filter. - `CorsUtils.isValidOrigin` normalizes the `Origin` header to lowercase before the allow-list membership check, mirroring how the configured origins are stored, so case differences in the `Origin` header do not produce false rejections. - A small `HttpMethods` utility holds the shared `STATE_CHANGING` method set used by both the servlet filter and the Jersey filter. ## What type of PR is it? Improvement ## Todos - [ ] CI green ## Questions - None ## Screenshots (if appropriate) N/A Closes apache#5229 from jongyoul/minor-cors-hardening. Signed-off-by: Jongyoul Lee <jongyoul@gmail.com> (cherry picked from commit 9da7f2a) Signed-off-by: Jongyoul Lee <jongyoul@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #5229 to branch-0.12 for the upcoming 0.12.1 security release.
What changes
Cherry-pick of the squash commit 9da7f2a from master. Tightens default security behavior in the REST/WebSocket request-handling layer:
Access-Control-Allow-Credentialsfor allowed origins; defaultzeppelin.server.allowed.originsbecomes empty.AllowedContentTypeFilter) rejects state-changing REST requests whoseContent-Typeis not in the allow-list (application/json,application/x-www-form-urlencoded,multipart/form-data) with 415.cookie.sameSite = LAX.ZeppelinClient: send explicitapplication/jsonContent-Typeon all body-carrying calls.Notes for 0.12.1 release
This is a breaking change for some external integrations and must be called out in the 0.12.1 release notes:
zeppelin.server.allowed.originsdefault changed from*to empty. Same-host andlocalhostrequests still pass via shortcuts, but cross-domain SPAs that called Zeppelin REST without explicit origin allow-listing will need to set this property.Content-Typeor they will be rejected with 415. Browser/Angular UI traffic andZeppelinClientare unaffected; only third-party clients sending bodies withoutContent-Type(or withtext/plainetc.) will see this.Verification
branch-0.12(no conflicts).mvn teston the affected modules:AllowedContentTypeFilterTest,CorsFilterTest,CorsUtilsTest,ZeppelinConfigurationTest,NotebookServiceTest#testNormalizeNotePath— 33 tests pass.