This is an automated email from the ASF dual-hosted git repository.

alexantonenko pushed a commit to branch branch-2.6
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/branch-2.6 by this push:
     new c902b0d  AMBARI-25172. XSS - cross site scripting vulnerability
     new 56062c0  Merge pull request #2864 from hiveww/AMBARI-25172-branch2.6
c902b0d is described below

commit c902b0d748ece735ea5ececd713c0ff6f475163e
Author: Alex Antonenko <aantone...@hortonworks.com>
AuthorDate: Wed Mar 13 17:52:51 2019 +0200

    AMBARI-25172. XSS - cross site scripting vulnerability
---
 .../main/service/widgets/create/step2_controller.js       | 15 ++++++++++++++-
 ambari-web/app/messages.js                                |  1 +
 .../templates/main/service/widgets/create/step2_graph.hbs |  9 ++++++++-
 ambari-web/app/utils/validator.js                         |  5 +++++
 .../main/service/widgets/create/step2_controller_test.js  |  5 +++++
 5 files changed, 33 insertions(+), 2 deletions(-)

diff --git 
a/ambari-web/app/controllers/main/service/widgets/create/step2_controller.js 
b/ambari-web/app/controllers/main/service/widgets/create/step2_controller.js
index 4e3ab91..8f26c09 100644
--- a/ambari-web/app/controllers/main/service/widgets/create/step2_controller.js
+++ b/ambari-web/app/controllers/main/service/widgets/create/step2_controller.js
@@ -17,6 +17,7 @@
  */
 
 var App = require('app');
+var validator = require('utils/validator');
 
 App.WidgetWizardStep2Controller = Em.Controller.extend({
   name: "widgetWizardStep2Controller",
@@ -148,7 +149,7 @@ App.WidgetWizardStep2Controller = Em.Controller.extend({
       isMetricsIncluded = expressions.some(this.isExpressionWithMetrics);
 
     for (var i = 0; i < dataSets.length; i++) {
-      if (dataSets[i].get('label').trim() === '' || 
!this.isExpressionComplete(dataSets[i].get('expression'))) {
+      if (!this.checkIfIsLabelValid(dataSets[i]) || 
!this.isExpressionComplete(dataSets[i].get('expression'))) {
         isComplete = false;
         break;
       }
@@ -157,6 +158,18 @@ App.WidgetWizardStep2Controller = Em.Controller.extend({
   },
 
   /**
+    * if label is valid
+    * @param dataset
+    * @returns {boolean} isValid
+    */
+  checkIfIsLabelValid: function(dataset) {
+    var label = dataset.get('label');
+    var isValid = label.trim() !== '' && 
validator.isValidChartWidgetDatasetLabel(label);
+    dataset.set('isInvalidLabel', !isValid);
+    return isValid;
+  },
+
+  /**
    * check whether data of template widget is complete
    * @param {Array} expressions
    * @param {string} templateValue
diff --git a/ambari-web/app/messages.js b/ambari-web/app/messages.js
index 851e331..9369262 100644
--- a/ambari-web/app/messages.js
+++ b/ambari-web/app/messages.js
@@ -3117,6 +3117,7 @@ Em.I18n.translations = {
   'widget.create.wizard.step2.body.text':'Define the expression with any 
metrics and valid operators. </br>Use parentheses when necessary.',
   'widget.create.wizard.step2.body.template':'Define the template with any 
number of expressions and any string. An expression can be referenced from a 
template by enclosing its name with double curly braces.',
   'widget.create.wizard.step2.body.warning':'Note: Valid operators are +, -, 
*, /',
+  'widget.create.wizard.step2.body.invalid.label': 'Invalid name. Only 
alphanumerics, underscores, hyphens, percentage and spaces are allowed.',
   'widget.create.wizard.step2.body.template.invalid.msg':'Invalid expression 
name existed. Should use name "Expression#" with double curly braces.',
   'widget.create.wizard.step2.addExpression': 'Add Expression',
   'widget.create.wizard.step2.addDataset': 'Add data set',
diff --git 
a/ambari-web/app/templates/main/service/widgets/create/step2_graph.hbs 
b/ambari-web/app/templates/main/service/widgets/create/step2_graph.hbs
index 17e4790..b413b85 100644
--- a/ambari-web/app/templates/main/service/widgets/create/step2_graph.hbs
+++ b/ambari-web/app/templates/main/service/widgets/create/step2_graph.hbs
@@ -23,7 +23,14 @@
 
 {{#each dataSet in dataSets}}
   <fieldset>
-    <h5>{{view Ember.TextField valueBinding="dataSet.label"}}</h5>
+    <h5 {{bindAttr class="dataSet.isInvalidLabel:has-error"}}>
+      {{view Ember.TextField valueBinding="dataSet.label" 
class="form-control"}}
+      {{#if dataSet.isInvalidLabel}}
+        <div class="alert alert-info">
+          {{t widget.create.wizard.step2.body.invalid.label}}
+        </div>
+      {{/if}}
+    </h5>
     <h5>{{t common.expression}}:</h5>
     {{view App.WidgetWizardExpressionView 
expressionBinding="dataSet.expression"}}
     {{#if dataSet.isRemovable}}
diff --git a/ambari-web/app/utils/validator.js 
b/ambari-web/app/utils/validator.js
index dd3d6c0..bc4f24d 100644
--- a/ambari-web/app/utils/validator.js
+++ b/ambari-web/app/utils/validator.js
@@ -316,6 +316,11 @@ module.exports = {
     return widgetDescriptionRegex.test(value);
   },
 
+  isValidChartWidgetDatasetLabel: function (value) {
+    var widgetDescriptionRegex = /^[\s0-9a-z_\-%]+$/i;
+    return widgetDescriptionRegex.test(value);
+  },
+
   /**
    * Validate alert name
    * @param {string} value
diff --git 
a/ambari-web/test/controllers/main/service/widgets/create/step2_controller_test.js
 
b/ambari-web/test/controllers/main/service/widgets/create/step2_controller_test.js
index 1b002790..ed37f1d 100644
--- 
a/ambari-web/test/controllers/main/service/widgets/create/step2_controller_test.js
+++ 
b/ambari-web/test/controllers/main/service/widgets/create/step2_controller_test.js
@@ -247,6 +247,11 @@ describe('App.WidgetWizardStep2Controller', function () {
           title: 'label is empty'
         },
         {
+          dataSets: [Em.Object.create({label: 
'<script>alert(\'hello\')</script>'})],
+          isGraphDataComplete: false,
+          title: 'not aalowed symbols'
+        },
+        {
           dataSets: [Em.Object.create({label: 'abc'})],
           isExpressionComplete: false,
           isGraphDataComplete: false,

Reply via email to