You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by kr...@apache.org on 2019/12/07 21:52:36 UTC

[lucene-solr] branch branch_8x updated: SOLR-13987: Admin UI should not rely on javascript eval()

This is an automated email from the ASF dual-hosted git repository.

krisden pushed a commit to branch branch_8x
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git


The following commit(s) were added to refs/heads/branch_8x by this push:
     new 7ad7bbe  SOLR-13987: Admin UI should not rely on javascript eval()
7ad7bbe is described below

commit 7ad7bbe05c2ed9e39fbeb9f3a6fdde03c37b3d93
Author: Kevin Risden <kr...@apache.org>
AuthorDate: Fri Dec 6 21:25:39 2019 -0500

    SOLR-13987: Admin UI should not rely on javascript eval()
    
    * Removes `'unsafe-eval'` from CSP `script-src`
    * Enables Angular CSP mode
    * Removes `eval()` JSON parsing in `cloud.js`
    * Removes `jstree` themes error
    
    Signed-off-by: Kevin Risden <kr...@apache.org>
---
 solr/CHANGES.txt                                |  2 ++
 solr/server/etc/jetty.xml                       | 14 ++++++++-
 solr/webapp/web/css/angular/angular-csp.css     | 41 +++++++++++++++++++++++++
 solr/webapp/web/index.html                      |  3 +-
 solr/webapp/web/js/angular/app.js               |  2 +-
 solr/webapp/web/js/angular/controllers/cloud.js |  2 +-
 6 files changed, 60 insertions(+), 4 deletions(-)

diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 07dbe1a..fa64424 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -91,6 +91,8 @@ Improvements
 * SOLR-11706: Add support for aggregation on multivalued fields in JSON facets. min, max, avg, sum, sumsq, stddev,
   variance, percentile aggregations now have support for multivalued fields. (hossman, Munendra S N)
 
+* SOLR-13987: Admin UI should not rely on javascript eval() (rmuir, Kevin Risden)
+
 Optimizations
 ---------------------
 (No changes)
diff --git a/solr/server/etc/jetty.xml b/solr/server/etc/jetty.xml
index 0a0172a..210b342 100644
--- a/solr/server/etc/jetty.xml
+++ b/solr/server/etc/jetty.xml
@@ -95,7 +95,19 @@
           <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
             <Set name="pattern">*</Set>
             <Set name="name">Content-Security-Policy</Set>
-            <Set name="value">default-src 'none'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; img-src 'self'; media-src 'self'; font-src 'self'; connect-src 'self';</Set>
+            <Set name="value">
+              default-src 'none';
+              base-uri 'none';
+              connect-src 'self';
+              form-action 'self';
+              font-src 'self';
+              frame-ancestors 'none';
+              img-src 'self';
+              media-src 'self';
+              style-src 'self' 'unsafe-inline';
+              script-src 'self';
+              worker-src 'self';
+            </Set>
           </New>
         </Arg>
       </Call>
diff --git a/solr/webapp/web/css/angular/angular-csp.css b/solr/webapp/web/css/angular/angular-csp.css
new file mode 100644
index 0000000..84d8366
--- /dev/null
+++ b/solr/webapp/web/css/angular/angular-csp.css
@@ -0,0 +1,41 @@
+/*
+The MIT License
+
+Copyright (c) 2010-2015 Google, Inc. http://angularjs.org
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+*/
+/**
+ * @license AngularJS v1.3.8
+ * (c) 2010-2014 Google, Inc. http://angularjs.org
+ * License: MIT
+ */
+/* Include this file in your html if you are using the CSP mode. */
+
+@charset "UTF-8";
+
+[ng\:cloak], [ng-cloak], [data-ng-cloak], [x-ng-cloak],
+.ng-cloak, .x-ng-cloak,
+.ng-hide:not(.ng-hide-animate) {
+  display: none !important;
+}
+
+ng\:form {
+  display: block;
+}
diff --git a/solr/webapp/web/index.html b/solr/webapp/web/index.html
index 676ad19..b33d190 100644
--- a/solr/webapp/web/index.html
+++ b/solr/webapp/web/index.html
@@ -1,5 +1,5 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
-<html ng-app="solrAdminApp">
+<html ng-app="solrAdminApp" ng-csp>
 <!--
 Licensed to the Apache Software Foundation (ASF) under one or more
 contributor license agreements.  See the NOTICE file distributed with
@@ -23,6 +23,7 @@ limitations under the License.
   <link rel="icon" type="image/x-icon" href="img/favicon.ico?_=${version}">
   <link rel="shortcut icon" type="image/x-icon" href="img/favicon.ico?_=${version}">
 
+  <link rel="stylesheet" type="text/css" href="css/angular/angular-csp.css?_=${version}">
   <link rel="stylesheet" type="text/css" href="css/angular/common.css?_=${version}">
   <link rel="stylesheet" type="text/css" href="css/angular/analysis.css?_=${version}">
   <link rel="stylesheet" type="text/css" href="css/angular/cloud.css?_=${version}">
diff --git a/solr/webapp/web/js/angular/app.js b/solr/webapp/web/js/angular/app.js
index 784ea6e..e2023ba 100644
--- a/solr/webapp/web/js/angular/app.js
+++ b/solr/webapp/web/js/angular/app.js
@@ -299,7 +299,7 @@ solrAdminApp.config([
             scope.$watch("data", function(newValue, oldValue) {
                 if (newValue) {
                   var treeConfig = {
-                      "plugins" : [ "themes", "json_data", "ui" ],
+                      "plugins" : [ "json_data", "ui" ],
                       "json_data" : {
                         "data" : scope.data,
                         "progressive_render" : true
diff --git a/solr/webapp/web/js/angular/controllers/cloud.js b/solr/webapp/web/js/angular/controllers/cloud.js
index b0ba421..48828e9 100644
--- a/solr/webapp/web/js/angular/controllers/cloud.js
+++ b/solr/webapp/web/js/angular/controllers/cloud.js
@@ -668,7 +668,7 @@ var graphSubController = function ($scope, Zookeeper) {
             }
 
             Zookeeper.clusterState(params, function (data) {
-                    eval("var state=" + data.znode.data); // @todo fix horrid means to parse JSON
+                    var state = $.parseJSON(data.znode.data);
 
                     var leaf_count = 0;
                     var graph_data = {