ambari icon indicating copy to clipboard operation
ambari copied to clipboard
verified publisher icon apache

Prevent basic authentication over HTTP

Open luchua-bc opened this issue 5 years ago • 4 comments

What changes were proposed in this pull request?

Sensitive information like username and password shall not be sent over the cleartext HTTP channel. Basic authentication only obfuscates username/password in Base64 encoding, which can be easily recognized and reversed.

The class ambari-funtest/src/test/java/org/apache/ambari/funtest/server/AmbariHttpWebRequest.java sends username and password in basic authentication over an HTTP connection. Sending username and password using the HTTP protocol violates CWE-522 "Insufficiently Protected Credentials".

Although the vulnerable class is in the ambari-funtest package, as Ambari is a popular repository of Apache that is watched and used by many users and organizations, whose code could be extended and customized, the issue shall be resolved in my opinion.

How was this patch tested?

The change is minimal and only involves one class.

Please investigate and consider merging the PR as well as opening a security advisory if you agree this is a valid issue.

Thanks, @luchua-bc

luchua-bc avatar Jul 24 '20 21:07 luchua-bc

it is a functional test, which testing http/https endpoints and is not part of production code.

hapylestat avatar Jul 24 '20 22:07 hapylestat

Thanks @hapylestat for looking into the PR. I understand the class is not part of the production code, however, does it make sense to at least change the default implementation from HTTP to HTTPS? That is, use SERVER_SSL_URL_FORMAT instead of SERVER_URL_FORMAT?

luchua-bc avatar Jul 24 '20 22:07 luchua-bc

@luchua-bc Could you please create the jira ticket with updating the PR summary by prepending issue number?

hapylestat avatar Nov 16 '20 03:11 hapylestat

Thanks @hapylestat for the follow-up. I've created a jira ticket #25588.

luchua-bc avatar Nov 17 '20 03:11 luchua-bc