HIVE-28653: Jetty version disclosure in Hive (apache#5800)

Author: kasakrisz

common/src/java/org/apache/hive/http/HttpServer.java

@@ -652,6 +652,8 @@ ServerConnector createAndAddChannelConnector(int queueSize, Builder b) {
 
     final HttpConfiguration conf = new HttpConfiguration();
     conf.setRequestHeaderSize(1024*64);
+    conf.setSendServerVersion(false);
+    conf.setSendXPoweredBy(false);
     final HttpConnectionFactory http = new HttpConnectionFactory(conf);
 
     if (!b.useSSL) {

hcatalog/webhcat/svr/src/main/java/org/apache/hive/hcatalog/templeton/Main.java

@@ -282,6 +282,8 @@ private Connector createChannelConnector(Server server) {
     ServerConnector connector;
     final HttpConfiguration httpConf = new HttpConfiguration();
     httpConf.setRequestHeaderSize(1024 * 64);
+    httpConf.setSendServerVersion(false);
+    httpConf.setSendXPoweredBy(false);
     final HttpConnectionFactory http = new HttpConnectionFactory(httpConf);
 
     if (conf.getBoolean(AppConfig.USE_SSL, false)) {

itests/hive-unit/src/test/java/org/apache/hive/service/TestHttpServices.java

@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hive.service;
+
+import org.apache.hadoop.hive.conf.HiveConf;
+import org.apache.hadoop.hive.metastore.conf.MetastoreConf;
+import org.apache.hc.client5.http.classic.methods.HttpGet;
+import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
+import org.apache.hc.client5.http.impl.classic.CloseableHttpResponse;
+import org.apache.hc.client5.http.impl.classic.HttpClients;
+import org.apache.hc.core5.http.Header;
+import org.apache.hive.jdbc.miniHS2.MiniHS2;
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+import java.io.IOException;
+import java.util.HashMap;
+
+public class TestHttpServices {
+
+  private static MiniHS2 miniHS2 = null;
+
+  @BeforeClass
+  public static void startServices() throws Exception {
+    HiveConf hiveConf = new HiveConf();
+    hiveConf.set(MetastoreConf.ConfVars.THRIFT_TRANSPORT_MODE.toString(), "http"); // HS2 -> HMS thrift on http
+
+    miniHS2 = new MiniHS2.Builder()
+            .withConf(hiveConf)
+            .withHTTPTransport() // Cli service -> HS2 thrift on http
+            .withRemoteMetastore()
+            .build();
+
+    miniHS2.start(new HashMap<>());
+  }
+
+  @AfterClass
+  public static void stopServices() {
+    if (miniHS2 != null && miniHS2.isStarted()) {
+      miniHS2.stop();
+    }
+  }
+
+  @Test
+  public void testWebUIResponseDoesNotContainServerVersionAndXPoweredBy() throws Exception {
+    testHttpServiceDoesNotContainServerVersionAndXPoweredBy(
+            "http://" + miniHS2.getHost() + ":" + miniHS2.getWebPort());
+  }
+
+  @Test
+  public void testCliServiceResponseDoesNotContainServerVersionAndXPoweredBy() throws Exception {
+    testHttpServiceDoesNotContainServerVersionAndXPoweredBy(
+            "http://" + miniHS2.getHost() + ":" + miniHS2.getWebPort() + "/cliservice");
+  }
+
+  @Test
+  public void testHMSServiceResponseDoesNotContainServerVersionAndXPoweredBy() throws Exception {
+    testHttpServiceDoesNotContainServerVersionAndXPoweredBy(
+            "http://" + miniHS2.getHost() + ":" + miniHS2.getWebPort() + "/" +
+            MetastoreConf.ConfVars.METASTORE_CLIENT_THRIFT_HTTP_PATH.getDefaultVal());
+  }
+
+  private void testHttpServiceDoesNotContainServerVersionAndXPoweredBy(String miniHS2) throws IOException {
+    try (CloseableHttpClient httpClient = HttpClients.createDefault()) {
+      HttpGet request = new HttpGet(miniHS2);
+
+      try (CloseableHttpResponse response = httpClient.execute(request)) {
+        for (Header header : response.getHeaders()) {
+          Assert.assertNotEquals("x-powered-by", header.getName().toLowerCase());
+          Assert.assertNotEquals("server", header.getName().toLowerCase());
+        }
+      }
+    }
+  }
+}

service/src/java/org/apache/hive/service/cli/thrift/ThriftHttpCLIService.java

@@ -123,6 +123,8 @@ public void setThreadFactory(ThreadFactory threadFactory) {
           hiveConf.getIntVar(ConfVars.HIVE_SERVER2_THRIFT_HTTP_RESPONSE_HEADER_SIZE);
       conf.setRequestHeaderSize(requestHeaderSize);
       conf.setResponseHeaderSize(responseHeaderSize);
+      conf.setSendServerVersion(false);
+      conf.setSendXPoweredBy(false);
       final HttpConnectionFactory http = new HttpConnectionFactory(conf) {
         public Connection newConnection(Connector connector, EndPoint endPoint) {
           Connection connection = super.newConnection(connector, endPoint);

standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java

@@ -395,6 +395,8 @@ public void setThreadFactory(ThreadFactory threadFactory) {
         MetastoreConf.getIntVar(conf, ConfVars.METASTORE_THRIFT_HTTP_REQUEST_HEADER_SIZE));
     httpServerConf.setResponseHeaderSize(
         MetastoreConf.getIntVar(conf, ConfVars.METASTORE_THRIFT_HTTP_RESPONSE_HEADER_SIZE));
+    httpServerConf.setSendServerVersion(false);
+    httpServerConf.setSendXPoweredBy(false);
 
     final HttpConnectionFactory http = new HttpConnectionFactory(httpServerConf);