You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ambari.apache.org by al...@apache.org on 2019/03/14 12:58:46 UTC
[ambari] branch branch-2.6 updated: AMBARI-25172. XSS - cross site
scripting vulnerability
This is an automated email from the ASF dual-hosted git repository.
alexantonenko pushed a commit to branch branch-2.6
in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/branch-2.6 by this push:
new c902b0d AMBARI-25172. XSS - cross site scripting vulnerability
new 56062c0 Merge pull request #2864 from hiveww/AMBARI-25172-branch2.6
c902b0d is described below
commit c902b0d748ece735ea5ececd713c0ff6f475163e
Author: Alex Antonenko <aa...@hortonworks.com>
AuthorDate: Wed Mar 13 17:52:51 2019 +0200
AMBARI-25172. XSS - cross site scripting vulnerability
---
.../main/service/widgets/create/step2_controller.js | 15 ++++++++++++++-
ambari-web/app/messages.js | 1 +
.../templates/main/service/widgets/create/step2_graph.hbs | 9 ++++++++-
ambari-web/app/utils/validator.js | 5 +++++
.../main/service/widgets/create/step2_controller_test.js | 5 +++++
5 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/ambari-web/app/controllers/main/service/widgets/create/step2_controller.js b/ambari-web/app/controllers/main/service/widgets/create/step2_controller.js
index 4e3ab91..8f26c09 100644
--- a/ambari-web/app/controllers/main/service/widgets/create/step2_controller.js
+++ b/ambari-web/app/controllers/main/service/widgets/create/step2_controller.js
@@ -17,6 +17,7 @@
*/
var App = require('app');
+var validator = require('utils/validator');
App.WidgetWizardStep2Controller = Em.Controller.extend({
name: "widgetWizardStep2Controller",
@@ -148,7 +149,7 @@ App.WidgetWizardStep2Controller = Em.Controller.extend({
isMetricsIncluded = expressions.some(this.isExpressionWithMetrics);
for (var i = 0; i < dataSets.length; i++) {
- if (dataSets[i].get('label').trim() === '' || !this.isExpressionComplete(dataSets[i].get('expression'))) {
+ if (!this.checkIfIsLabelValid(dataSets[i]) || !this.isExpressionComplete(dataSets[i].get('expression'))) {
isComplete = false;
break;
}
@@ -157,6 +158,18 @@ App.WidgetWizardStep2Controller = Em.Controller.extend({
},
/**
+ * if label is valid
+ * @param dataset
+ * @returns {boolean} isValid
+ */
+ checkIfIsLabelValid: function(dataset) {
+ var label = dataset.get('label');
+ var isValid = label.trim() !== '' && validator.isValidChartWidgetDatasetLabel(label);
+ dataset.set('isInvalidLabel', !isValid);
+ return isValid;
+ },
+
+ /**
* check whether data of template widget is complete
* @param {Array} expressions
* @param {string} templateValue
diff --git a/ambari-web/app/messages.js b/ambari-web/app/messages.js
index 851e331..9369262 100644
--- a/ambari-web/app/messages.js
+++ b/ambari-web/app/messages.js
@@ -3117,6 +3117,7 @@ Em.I18n.translations = {
'widget.create.wizard.step2.body.text':'Define the expression with any metrics and valid operators. </br>Use parentheses when necessary.',
'widget.create.wizard.step2.body.template':'Define the template with any number of expressions and any string. An expression can be referenced from a template by enclosing its name with double curly braces.',
'widget.create.wizard.step2.body.warning':'Note: Valid operators are +, -, *, /',
+ 'widget.create.wizard.step2.body.invalid.label': 'Invalid name. Only alphanumerics, underscores, hyphens, percentage and spaces are allowed.',
'widget.create.wizard.step2.body.template.invalid.msg':'Invalid expression name existed. Should use name "Expression#" with double curly braces.',
'widget.create.wizard.step2.addExpression': 'Add Expression',
'widget.create.wizard.step2.addDataset': 'Add data set',
diff --git a/ambari-web/app/templates/main/service/widgets/create/step2_graph.hbs b/ambari-web/app/templates/main/service/widgets/create/step2_graph.hbs
index 17e4790..b413b85 100644
--- a/ambari-web/app/templates/main/service/widgets/create/step2_graph.hbs
+++ b/ambari-web/app/templates/main/service/widgets/create/step2_graph.hbs
@@ -23,7 +23,14 @@
{{#each dataSet in dataSets}}
<fieldset>
- <h5>{{view Ember.TextField valueBinding="dataSet.label"}}</h5>
+ <h5 {{bindAttr class="dataSet.isInvalidLabel:has-error"}}>
+ {{view Ember.TextField valueBinding="dataSet.label" class="form-control"}}
+ {{#if dataSet.isInvalidLabel}}
+ <div class="alert alert-info">
+ {{t widget.create.wizard.step2.body.invalid.label}}
+ </div>
+ {{/if}}
+ </h5>
<h5>{{t common.expression}}:</h5>
{{view App.WidgetWizardExpressionView expressionBinding="dataSet.expression"}}
{{#if dataSet.isRemovable}}
diff --git a/ambari-web/app/utils/validator.js b/ambari-web/app/utils/validator.js
index dd3d6c0..bc4f24d 100644
--- a/ambari-web/app/utils/validator.js
+++ b/ambari-web/app/utils/validator.js
@@ -316,6 +316,11 @@ module.exports = {
return widgetDescriptionRegex.test(value);
},
+ isValidChartWidgetDatasetLabel: function (value) {
+ var widgetDescriptionRegex = /^[\s0-9a-z_\-%]+$/i;
+ return widgetDescriptionRegex.test(value);
+ },
+
/**
* Validate alert name
* @param {string} value
diff --git a/ambari-web/test/controllers/main/service/widgets/create/step2_controller_test.js b/ambari-web/test/controllers/main/service/widgets/create/step2_controller_test.js
index 1b002790..ed37f1d 100644
--- a/ambari-web/test/controllers/main/service/widgets/create/step2_controller_test.js
+++ b/ambari-web/test/controllers/main/service/widgets/create/step2_controller_test.js
@@ -247,6 +247,11 @@ describe('App.WidgetWizardStep2Controller', function () {
title: 'label is empty'
},
{
+ dataSets: [Em.Object.create({label: '<script>alert(\'hello\')</script>'})],
+ isGraphDataComplete: false,
+ title: 'not aalowed symbols'
+ },
+ {
dataSets: [Em.Object.create({label: 'abc'})],
isExpressionComplete: false,
isGraphDataComplete: false,