You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by kr...@apache.org on 2019/12/07 21:52:36 UTC
[lucene-solr] branch branch_8x updated: SOLR-13987: Admin UI should
not rely on javascript eval()
This is an automated email from the ASF dual-hosted git repository.
krisden pushed a commit to branch branch_8x
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/branch_8x by this push:
new 7ad7bbe SOLR-13987: Admin UI should not rely on javascript eval()
7ad7bbe is described below
commit 7ad7bbe05c2ed9e39fbeb9f3a6fdde03c37b3d93
Author: Kevin Risden <kr...@apache.org>
AuthorDate: Fri Dec 6 21:25:39 2019 -0500
SOLR-13987: Admin UI should not rely on javascript eval()
* Removes `'unsafe-eval'` from CSP `script-src`
* Enables Angular CSP mode
* Removes `eval()` JSON parsing in `cloud.js`
* Removes `jstree` themes error
Signed-off-by: Kevin Risden <kr...@apache.org>
---
solr/CHANGES.txt | 2 ++
solr/server/etc/jetty.xml | 14 ++++++++-
solr/webapp/web/css/angular/angular-csp.css | 41 +++++++++++++++++++++++++
solr/webapp/web/index.html | 3 +-
solr/webapp/web/js/angular/app.js | 2 +-
solr/webapp/web/js/angular/controllers/cloud.js | 2 +-
6 files changed, 60 insertions(+), 4 deletions(-)
diff --git a/solr/CHANGES.txt b/solr/CHANGES.txt
index 07dbe1a..fa64424 100644
--- a/solr/CHANGES.txt
+++ b/solr/CHANGES.txt
@@ -91,6 +91,8 @@ Improvements
* SOLR-11706: Add support for aggregation on multivalued fields in JSON facets. min, max, avg, sum, sumsq, stddev,
variance, percentile aggregations now have support for multivalued fields. (hossman, Munendra S N)
+* SOLR-13987: Admin UI should not rely on javascript eval() (rmuir, Kevin Risden)
+
Optimizations
---------------------
(No changes)
diff --git a/solr/server/etc/jetty.xml b/solr/server/etc/jetty.xml
index 0a0172a..210b342 100644
--- a/solr/server/etc/jetty.xml
+++ b/solr/server/etc/jetty.xml
@@ -95,7 +95,19 @@
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<Set name="pattern">*</Set>
<Set name="name">Content-Security-Policy</Set>
- <Set name="value">default-src 'none'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; img-src 'self'; media-src 'self'; font-src 'self'; connect-src 'self';</Set>
+ <Set name="value">
+ default-src 'none';
+ base-uri 'none';
+ connect-src 'self';
+ form-action 'self';
+ font-src 'self';
+ frame-ancestors 'none';
+ img-src 'self';
+ media-src 'self';
+ style-src 'self' 'unsafe-inline';
+ script-src 'self';
+ worker-src 'self';
+ </Set>
</New>
</Arg>
</Call>
diff --git a/solr/webapp/web/css/angular/angular-csp.css b/solr/webapp/web/css/angular/angular-csp.css
new file mode 100644
index 0000000..84d8366
--- /dev/null
+++ b/solr/webapp/web/css/angular/angular-csp.css
@@ -0,0 +1,41 @@
+/*
+The MIT License
+
+Copyright (c) 2010-2015 Google, Inc. http://angularjs.org
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+*/
+/**
+ * @license AngularJS v1.3.8
+ * (c) 2010-2014 Google, Inc. http://angularjs.org
+ * License: MIT
+ */
+/* Include this file in your html if you are using the CSP mode. */
+
+@charset "UTF-8";
+
+[ng\:cloak], [ng-cloak], [data-ng-cloak], [x-ng-cloak],
+.ng-cloak, .x-ng-cloak,
+.ng-hide:not(.ng-hide-animate) {
+ display: none !important;
+}
+
+ng\:form {
+ display: block;
+}
diff --git a/solr/webapp/web/index.html b/solr/webapp/web/index.html
index 676ad19..b33d190 100644
--- a/solr/webapp/web/index.html
+++ b/solr/webapp/web/index.html
@@ -1,5 +1,5 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
-<html ng-app="solrAdminApp">
+<html ng-app="solrAdminApp" ng-csp>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
@@ -23,6 +23,7 @@ limitations under the License.
<link rel="icon" type="image/x-icon" href="img/favicon.ico?_=${version}">
<link rel="shortcut icon" type="image/x-icon" href="img/favicon.ico?_=${version}">
+ <link rel="stylesheet" type="text/css" href="css/angular/angular-csp.css?_=${version}">
<link rel="stylesheet" type="text/css" href="css/angular/common.css?_=${version}">
<link rel="stylesheet" type="text/css" href="css/angular/analysis.css?_=${version}">
<link rel="stylesheet" type="text/css" href="css/angular/cloud.css?_=${version}">
diff --git a/solr/webapp/web/js/angular/app.js b/solr/webapp/web/js/angular/app.js
index 784ea6e..e2023ba 100644
--- a/solr/webapp/web/js/angular/app.js
+++ b/solr/webapp/web/js/angular/app.js
@@ -299,7 +299,7 @@ solrAdminApp.config([
scope.$watch("data", function(newValue, oldValue) {
if (newValue) {
var treeConfig = {
- "plugins" : [ "themes", "json_data", "ui" ],
+ "plugins" : [ "json_data", "ui" ],
"json_data" : {
"data" : scope.data,
"progressive_render" : true
diff --git a/solr/webapp/web/js/angular/controllers/cloud.js b/solr/webapp/web/js/angular/controllers/cloud.js
index b0ba421..48828e9 100644
--- a/solr/webapp/web/js/angular/controllers/cloud.js
+++ b/solr/webapp/web/js/angular/controllers/cloud.js
@@ -668,7 +668,7 @@ var graphSubController = function ($scope, Zookeeper) {
}
Zookeeper.clusterState(params, function (data) {
- eval("var state=" + data.znode.data); // @todo fix horrid means to parse JSON
+ var state = $.parseJSON(data.znode.data);
var leaf_count = 0;
var graph_data = {