This is an automated email from the ASF dual-hosted git repository.

alexantonenko pushed a commit to branch branch-2.7
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/branch-2.7 by this push:
     new a2071be  AMBARI-25172. XSS - cross site scripting vulnerability
     new 5bf7f97  Merge pull request #2865 from hiveww/AMBARI-25172-branch2.7
a2071be is described below

commit a2071beed2b03319c43ddf80eac30a571af02c1a
Author: Alex Antonenko <aantone...@hortonworks.com>
AuthorDate: Wed Mar 13 17:58:51 2019 +0200

    AMBARI-25172. XSS - cross site scripting vulnerability
---
 .../main/service/widgets/create/step2_controller.js       | 15 ++++++++++++++-
 ambari-web/app/messages.js                                |  1 +
 .../templates/main/service/widgets/create/step2_graph.hbs | 12 +++++++++++-
 ambari-web/app/utils/validator.js                         |  5 +++++
 .../main/service/widgets/create/step2_controller_test.js  |  5 +++++
 5 files changed, 36 insertions(+), 2 deletions(-)

diff --git 
a/ambari-web/app/controllers/main/service/widgets/create/step2_controller.js 
b/ambari-web/app/controllers/main/service/widgets/create/step2_controller.js
index 7107e52..cfbbe29 100644
--- a/ambari-web/app/controllers/main/service/widgets/create/step2_controller.js
+++ b/ambari-web/app/controllers/main/service/widgets/create/step2_controller.js
@@ -17,6 +17,7 @@
  */
 
 var App = require('app');
+var validator = require('utils/validator');
 
 App.WidgetWizardStep2Controller = Em.Controller.extend({
   name: "widgetWizardStep2Controller",
@@ -174,7 +175,7 @@ App.WidgetWizardStep2Controller = Em.Controller.extend({
       isMetricsIncluded = expressions.some(this.isExpressionWithMetrics);
 
     for (var i = 0; i < dataSets.length; i++) {
-      if (dataSets[i].get('label').trim() === '' || 
!this.isExpressionComplete(dataSets[i].get('expression'))) {
+      if (!this.checkIfIsLabelValid(dataSets[i]) || 
!this.isExpressionComplete(dataSets[i].get('expression'))) {
         isComplete = false;
         break;
       }
@@ -183,6 +184,18 @@ App.WidgetWizardStep2Controller = Em.Controller.extend({
   },
 
   /**
+   * if label is valid
+   * @param dataset
+   * @returns {boolean} isValid
+   */
+  checkIfIsLabelValid: function(dataset) {
+    var label = dataset.get('label');
+    var isValid = label.trim() !== '' && 
validator.isValidChartWidgetDatasetLabel(label);
+    dataset.set('isInvalidLabel', !isValid);
+    return isValid;
+  },
+
+  /**
    * check whether data of template widget is complete
    * @param {Array} expressions
    * @param {string} templateValue
diff --git a/ambari-web/app/messages.js b/ambari-web/app/messages.js
index 33d8852..8bc0888 100644
--- a/ambari-web/app/messages.js
+++ b/ambari-web/app/messages.js
@@ -3292,6 +3292,7 @@ Em.I18n.translations = {
   'widget.create.wizard.step2.body.text':'Define the expression with any 
metrics and valid operators. </br>Use parentheses when necessary.',
   'widget.create.wizard.step2.body.template':'Define the template with any 
number of expressions and any string. An expression can be referenced from a 
template by enclosing its name with double curly braces.',
   'widget.create.wizard.step2.body.warning':'Note: Valid operators are +, -, 
*, /',
+  'widget.create.wizard.step2.body.invalid.label': 'Invalid name. Only 
alphanumerics, underscores, hyphens, percentage and spaces are allowed.',
   'widget.create.wizard.step2.body.invalid.expression':'Expression is not 
complete or is invalid!',
   'widget.create.wizard.step2.body.invalid.expression2':'Invalid expression!',
   'widget.create.wizard.step2.body.invalid.msg2':'Only numbers or operators 
are allowed in this field.',
diff --git 
a/ambari-web/app/templates/main/service/widgets/create/step2_graph.hbs 
b/ambari-web/app/templates/main/service/widgets/create/step2_graph.hbs
index 5b49613..af86262 100644
--- a/ambari-web/app/templates/main/service/widgets/create/step2_graph.hbs
+++ b/ambari-web/app/templates/main/service/widgets/create/step2_graph.hbs
@@ -29,7 +29,17 @@
     {{/if}}
     {{#each dataSet in dataSets}}
       <fieldset>
-        <h5>{{view Ember.TextField valueBinding="dataSet.label" 
class="form-control"}}</h5>
+        <h5 {{bindAttr class="dataSet.isInvalidLabel:has-error"}}>
+          {{view Ember.TextField valueBinding="dataSet.label" 
class="form-control"}}
+          {{#if dataSet.isInvalidLabel}}
+            <div>
+              <span class="help-block validation-block">
+                {{t widget.create.wizard.step2.body.invalid.label}}
+              </span>
+            </div>
+          {{/if}}
+        </h5>
+
         <h5>{{t common.expression}}:</h5>
         {{view App.WidgetWizardExpressionView 
expressionBinding="dataSet.expression"}}
         {{#if dataSet.isRemovable}}
diff --git a/ambari-web/app/utils/validator.js 
b/ambari-web/app/utils/validator.js
index e2dc2b1..1ebe6c7 100644
--- a/ambari-web/app/utils/validator.js
+++ b/ambari-web/app/utils/validator.js
@@ -325,6 +325,11 @@ module.exports = {
     return widgetDescriptionRegex.test(value);
   },
 
+  isValidChartWidgetDatasetLabel: function (value) {
+    var widgetDescriptionRegex = /^[\s0-9a-z_\-%]+$/i;
+    return widgetDescriptionRegex.test(value);
+  },
+
   /**
    * Validate alert name
    * @param {string} value
diff --git 
a/ambari-web/test/controllers/main/service/widgets/create/step2_controller_test.js
 
b/ambari-web/test/controllers/main/service/widgets/create/step2_controller_test.js
index 856a09d..95f8421 100644
--- 
a/ambari-web/test/controllers/main/service/widgets/create/step2_controller_test.js
+++ 
b/ambari-web/test/controllers/main/service/widgets/create/step2_controller_test.js
@@ -247,6 +247,11 @@ describe('App.WidgetWizardStep2Controller', function () {
           title: 'label is empty'
         },
         {
+          dataSets: [Em.Object.create({label: 
'<script>alert(\'hello\')</script>'})],
+          isGraphDataComplete: false,
+          title: 'not aalowed symbols'
+        },
+        {
           dataSets: [Em.Object.create({label: 'abc'})],
           isExpressionComplete: false,
           isGraphDataComplete: false,

Reply via email to