You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@oozie.apache.org by an...@apache.org on 2018/07/02 08:52:23 UTC
oozie git commit: OOZIE-3109 [log-streaming] Escape HTML-specific
characters (dionusos via andras.piros)
Repository: oozie
Updated Branches:
refs/heads/master 2f6bced4f -> f638381da
OOZIE-3109 [log-streaming] Escape HTML-specific characters (dionusos via andras.piros)
Project: http://git-wip-us.apache.org/repos/asf/oozie/repo
Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/f638381d
Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/f638381d
Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/f638381d
Branch: refs/heads/master
Commit: f638381dacf5d0720f9f1f9786ea30d4493ada2a
Parents: 2f6bced
Author: Andras Piros <an...@cloudera.com>
Authored: Mon Jul 2 10:51:31 2018 +0200
Committer: Andras Piros <an...@cloudera.com>
Committed: Mon Jul 2 10:51:31 2018 +0200
----------------------------------------------------------------------
.../oozie/service/XLogStreamingService.java | 3 ++-
.../oozie/service/ZKXLogStreamingService.java | 12 +++++----
.../oozie/util/TimestampedMessageParser.java | 3 ++-
.../org/apache/oozie/util/XLogStreamer.java | 5 ++--
.../oozie/service/TestXLogStreamingService.java | 27 ++++++++++++++++++++
release-log.txt | 1 +
6 files changed, 42 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/oozie/blob/f638381d/core/src/main/java/org/apache/oozie/service/XLogStreamingService.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/oozie/service/XLogStreamingService.java b/core/src/main/java/org/apache/oozie/service/XLogStreamingService.java
index 3cfbeac..f841425 100644
--- a/core/src/main/java/org/apache/oozie/service/XLogStreamingService.java
+++ b/core/src/main/java/org/apache/oozie/service/XLogStreamingService.java
@@ -18,6 +18,7 @@
package org.apache.oozie.service;
+import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.oozie.util.Instrumentable;
import org.apache.oozie.util.Instrumentation;
@@ -92,7 +93,7 @@ public class XLogStreamingService implements Service, Instrumentable {
protected void streamLog(XLogStreamer logStreamer, Date startTime, Date endTime, Writer writer, boolean appendDebug)
throws IOException {
if (!logStreamer.isLogEnabled()) {
- writer.write(logStreamer.getLogDisableMessage());
+ writer.write(StringEscapeUtils.escapeHtml(logStreamer.getLogDisableMessage()));
return;
}
logStreamer.streamLog(writer, startTime, endTime, appendDebug);
http://git-wip-us.apache.org/repos/asf/oozie/blob/f638381d/core/src/main/java/org/apache/oozie/service/ZKXLogStreamingService.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/oozie/service/ZKXLogStreamingService.java b/core/src/main/java/org/apache/oozie/service/ZKXLogStreamingService.java
index 3a5081c..9aa3276 100644
--- a/core/src/main/java/org/apache/oozie/service/ZKXLogStreamingService.java
+++ b/core/src/main/java/org/apache/oozie/service/ZKXLogStreamingService.java
@@ -27,6 +27,7 @@ import java.util.List;
import java.util.Map;
import java.util.TreeMap;
+import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.curator.x.discovery.ServiceInstance;
import org.apache.oozie.ErrorCode;
@@ -103,7 +104,7 @@ public class ZKXLogStreamingService extends XLogStreamingService implements Serv
public void streamLog(XLogStreamer logStreamer, Date startTime, Date endTime, Writer writer) throws IOException {
if (!logStreamer.isLogEnabled()) {
- writer.write(logStreamer.getLogDisableMessage());
+ writer.write(StringEscapeUtils.escapeHtml(logStreamer.getLogDisableMessage()));
return;
}
// If ALL_SERVERS_PARAM is set to false, then only stream our log
@@ -187,11 +188,11 @@ public class ZKXLogStreamingService extends XLogStreamingService implements Serv
//If log param debug is set, we need to write start date and end date to outputstream.
if(!StringUtils.isEmpty(logStreamer.getXLogFilter().getTruncatedMessage())){
- writer.write(logStreamer.getXLogFilter().getTruncatedMessage());
+ writer.write(StringEscapeUtils.escapeHtml(logStreamer.getXLogFilter().getTruncatedMessage()));
}
if (logStreamer.getXLogFilter().isDebugMode()) {
- writer.write(logStreamer.getXLogFilter().getDebugMessage());
+ writer.write(StringEscapeUtils.escapeHtml(logStreamer.getXLogFilter().getDebugMessage()));
}
// Add a message about any servers we couldn't contact
if (!badOozies.isEmpty()) {
@@ -226,7 +227,7 @@ public class ZKXLogStreamingService extends XLogStreamingService implements Serv
// The first entry will be the earliest based on the timestamp (also removes it) from the map
TimestampedMessageParser earliestParser = timestampMap.pollFirstEntry().getValue();
// Write the message from that parser at that timestamp
- writer.write(earliestParser.getLastMessage());
+ writer.write(StringEscapeUtils.escapeHtml(earliestParser.getLastMessage()));
if (logStreamer.shouldFlushOutput(earliestParser.getLastMessage().length())) {
writer.flush();
}
@@ -239,7 +240,8 @@ public class ZKXLogStreamingService extends XLogStreamingService implements Serv
// If there's only one parser left in the map, then we can simply copy the rest of its lines directly to be faster
if (timestampMap.size() == 1) {
TimestampedMessageParser parser = timestampMap.values().iterator().next();
- writer.write(parser.getLastMessage()); // don't forget the last message read by the parser
+ // don't forget the last message read by the parser
+ writer.write(StringEscapeUtils.escapeHtml(parser.getLastMessage()));
parser.processRemaining(writer, logStreamer);
}
}
http://git-wip-us.apache.org/repos/asf/oozie/blob/f638381d/core/src/main/java/org/apache/oozie/util/TimestampedMessageParser.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/oozie/util/TimestampedMessageParser.java b/core/src/main/java/org/apache/oozie/util/TimestampedMessageParser.java
index 1b87605..5c71ea1 100644
--- a/core/src/main/java/org/apache/oozie/util/TimestampedMessageParser.java
+++ b/core/src/main/java/org/apache/oozie/util/TimestampedMessageParser.java
@@ -24,6 +24,7 @@ import java.io.Writer;
import java.util.ArrayList;
import java.util.regex.Pattern;
+import org.apache.commons.lang.StringEscapeUtils;
import org.apache.oozie.service.Services;
import org.apache.oozie.service.XLogStreamingService;
import org.apache.oozie.util.LogLine.MATCHED_PATTERN;
@@ -204,7 +205,7 @@ public class TimestampedMessageParser {
*/
public void processRemaining(Writer writer, XLogStreamer logStreamer) throws IOException {
while (increment()) {
- writer.write(lastMessage);
+ writer.write(StringEscapeUtils.escapeHtml(lastMessage));
if (logStreamer.shouldFlushOutput(lastMessage.length())) {
writer.flush();
}
http://git-wip-us.apache.org/repos/asf/oozie/blob/f638381d/core/src/main/java/org/apache/oozie/util/XLogStreamer.java
----------------------------------------------------------------------
diff --git a/core/src/main/java/org/apache/oozie/util/XLogStreamer.java b/core/src/main/java/org/apache/oozie/util/XLogStreamer.java
index f0291af..6edfa22 100644
--- a/core/src/main/java/org/apache/oozie/util/XLogStreamer.java
+++ b/core/src/main/java/org/apache/oozie/util/XLogStreamer.java
@@ -30,6 +30,7 @@ import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.io.BufferedReader;
+import org.apache.commons.lang.StringEscapeUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.oozie.client.rest.RestConstants;
import org.apache.oozie.command.CommandException;
@@ -114,10 +115,10 @@ public class XLogStreamer {
try {
if (appendDebug) {
if (!StringUtils.isEmpty(logFilter.getTruncatedMessage())) {
- writer.write(logFilter.getTruncatedMessage());
+ writer.write(StringEscapeUtils.escapeHtml(logFilter.getTruncatedMessage()));
}
if (logFilter.isDebugMode()) {
- writer.write(logFilter.getDebugMessage());
+ writer.write(StringEscapeUtils.escapeHtml(logFilter.getDebugMessage()));
}
}
// Process the entire logs from the reader using the logFilter
http://git-wip-us.apache.org/repos/asf/oozie/blob/f638381d/core/src/test/java/org/apache/oozie/service/TestXLogStreamingService.java
----------------------------------------------------------------------
diff --git a/core/src/test/java/org/apache/oozie/service/TestXLogStreamingService.java b/core/src/test/java/org/apache/oozie/service/TestXLogStreamingService.java
index 1921f1b..5759211 100644
--- a/core/src/test/java/org/apache/oozie/service/TestXLogStreamingService.java
+++ b/core/src/test/java/org/apache/oozie/service/TestXLogStreamingService.java
@@ -413,6 +413,33 @@ public class TestXLogStreamingService extends XTestCase {
assertFalse(log.contains("Truncated logs to max log scan duration"));
}
+ public void testEscapingHtmlCharacters() throws Exception{
+ setupXLog();
+ XLogFilter xf = new XLogFilter(new XLogUserFilterParam(null));
+ xf.setParameter("USER", "oozie");
+ xf.setLogLevel("DEBUG|INFO");
+ File log4jFile = new File(getTestCaseConfDir(), "test-log4j.properties");
+ ClassLoader cl = Thread.currentThread().getContextClassLoader();
+ InputStream is = cl.getResourceAsStream("test-no-dash-log4j.properties");
+ Properties log4jProps = new Properties();
+ log4jProps.load(is);
+ // prevent conflicts with other tests by changing the log file location
+ log4jProps.setProperty("log4j.appender.oozie.File", getTestCaseDir() + "/oozie.log");
+ log4jProps.store(new FileOutputStream(log4jFile), "");
+ setSystemProperty(XLogService.LOG4J_FILE, log4jFile.getName());
+ try {
+ new Services().init();
+ assertFalse(doStreamDisabledCheck());
+ LogFactory.getLog("a").info("2009-06-24 02:43:14,505 INFO _L1_:317 - SERVER[foo] USER[oozie] GROUP[oozie] TOKEN[-] "
+ + "APP[-] JOB[-] ACTION[-] <script>function({Some malicious JS code});</script>");
+ String out = doStreamLog(xf);
+ assertFalse(out.contains("<script>"));
+ }
+ finally {
+ Services.get().destroy();
+ }
+ }
+
private boolean doStreamDisabledCheckWithServices() throws Exception {
boolean result = false;
try {
http://git-wip-us.apache.org/repos/asf/oozie/blob/f638381d/release-log.txt
----------------------------------------------------------------------
diff --git a/release-log.txt b/release-log.txt
index 5bb8fad..53bcd24 100644
--- a/release-log.txt
+++ b/release-log.txt
@@ -1,5 +1,6 @@
-- Oozie 5.1.0 release (trunk - unreleased)
+OOZIE-3109 [log-streaming] Escape HTML-specific characters (dionusos via andras.piros)
OOZIE-2956 Fix Findbugs warnings related to reliance on default encoding in oozie-core (Jan Hentschel, kmarton via andras.piros)
OOZIE-3295 Flaky test TestSLACalculatorMemory#testAddMultipleRestartRemoveMultipleInstrumentedCorrectly (pbacsko via andras.piros)
OOZIE-3289 TestJMSAccessorService#testConnectionRetry is still flaky (pbacsko via andras.piros)