This is an automated email from the ASF dual-hosted git repository. brahma pushed a commit to branch branch-2.7 in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/branch-2.7 by this push: new aa531afa81 fix Ambari Spoofing Vulnerability aa531afa81 is described below commit aa531afa81eb472265c91e7e6e99b2be379a26b0 Author: Brahma Reddy Battula <bra...@apache.org> AuthorDate: Wed Nov 29 19:58:33 2023 +0530 fix Ambari Spoofing Vulnerability --- .../main/python/resource_management/core/shell.py | 27 +++++++++++++--------- ambari-server/pom.xml | 5 ++++ .../controller/AmbariManagementControllerImpl.java | 3 ++- .../internal/AlertTargetResourceProvider.java | 3 ++- .../internal/RequestResourceProvider.java | 3 ++- .../resources/custom_actions/scripts/check_host.py | 3 ++- .../resources/ui/app/components/diffTooltip.js | 6 ++--- .../src/main/resources/ui/app/helpers/escapeAcl.js | 2 +- 8 files changed, 33 insertions(+), 19 deletions(-) diff --git a/ambari-common/src/main/python/resource_management/core/shell.py b/ambari-common/src/main/python/resource_management/core/shell.py index d815732a3b..70fae97761 100644 --- a/ambari-common/src/main/python/resource_management/core/shell.py +++ b/ambari-common/src/main/python/resource_management/core/shell.py @@ -104,7 +104,7 @@ def checked_call(command, quiet=False, logoutput=None, stdout=subprocess32.PIPE, @log_function_call def call(command, quiet=False, logoutput=None, stdout=subprocess32.PIPE,stderr=subprocess32.STDOUT, cwd=None, env=None, preexec_fn=preexec_fn, user=None, wait_for_finish=True, timeout=None, on_timeout=None, - path=None, sudo=False, on_new_line=None, tries=1, try_sleep=0, timeout_kill_strategy=TerminateStrategy.TERMINATE_PARENT, returns=[0]): + path=None, sudo=False, on_new_line=None, tries=1, try_sleep=0, timeout_kill_strategy=TerminateStrategy.TERMINATE_PARENT, shell=True, returns=[0]): """ Execute the shell command despite failures. @return: return_code, output @@ -112,7 +112,7 @@ def call(command, quiet=False, logoutput=None, stdout=subprocess32.PIPE,stderr=s return _call_wrapper(command, logoutput=logoutput, throw_on_failure=False, stdout=stdout, stderr=stderr, cwd=cwd, env=env, preexec_fn=preexec_fn, user=user, wait_for_finish=wait_for_finish, on_timeout=on_timeout, timeout=timeout, path=path, sudo=sudo, on_new_line=on_new_line, - tries=tries, try_sleep=try_sleep, timeout_kill_strategy=timeout_kill_strategy, returns=returns) + tries=tries, try_sleep=try_sleep, timeout_kill_strategy=timeout_kill_strategy, shell=shell, returns=returns) @log_function_call def non_blocking_call(command, quiet=False, stdout=None, stderr=None, @@ -166,7 +166,7 @@ def _call_wrapper(command, **kwargs): def _call(command, logoutput=None, throw_on_failure=True, stdout=subprocess32.PIPE,stderr=subprocess32.STDOUT, cwd=None, env=None, preexec_fn=preexec_fn, user=None, wait_for_finish=True, timeout=None, on_timeout=None, - path=None, sudo=False, on_new_line=None, tries=1, try_sleep=0, timeout_kill_strategy=TerminateStrategy.TERMINATE_PARENT, returns=[0]): + path=None, sudo=False, on_new_line=None, tries=1, try_sleep=0, timeout_kill_strategy=TerminateStrategy.TERMINATE_PARENT, shell=True, returns=[0]): """ Execute shell command @@ -200,18 +200,23 @@ def _call(command, logoutput=None, throw_on_failure=True, stdout=subprocess32.PI command = as_sudo(command, env=env) elif user: command = as_user(command, user, env=env) - - # convert to string and escape - if isinstance(command, (list, tuple)): - command = string_cmd_from_args_list(command) - + + if isinstance(command, basestring): + subprocess32_command = [command] + elif shell: + # TODO: Remove this condition after reviewing 'shell' flag requirement where shell.call() is being used. + subprocess32_command = [string_cmd_from_args_list(command)] + else: + subprocess32_command = command + # replace placeholder from as_sudo / as_user if present env_str = _get_environment_str(env) for placeholder, replacement in PLACEHOLDERS_TO_STR.iteritems(): - command = command.replace(placeholder, replacement.format(env_str=env_str)) + subprocess32_command = [cmd.replace(placeholder, replacement.format(env_str=env_str)) for cmd in subprocess32_command] - # --noprofile is used to preserve PATH set for ambari-agent - subprocess32_command = ["/bin/bash","--login","--noprofile","-c", command] + if shell: + # --noprofile is used to preserve PATH set for ambari-agent + subprocess32_command = ["/bin/bash","--login","--noprofile","-c"] + subprocess32_command # don't create stdout and stderr pipes, because forked process will not be able to use them if current process dies # creating pipes may lead to the forked process silent crash diff --git a/ambari-server/pom.xml b/ambari-server/pom.xml index 5081451e4d..afcc387607 100644 --- a/ambari-server/pom.xml +++ b/ambari-server/pom.xml @@ -1162,6 +1162,11 @@ <artifactId>commons-compress</artifactId> <version>1.21</version> </dependency> + <dependency> + <groupId>org.apache.commons</groupId> + <artifactId>commons-text</artifactId> + <version>1.10.0</version> + </dependency> <dependency> <groupId>uk.com.robust-it</groupId> <artifactId>cloning</artifactId> diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java index 5156746c1f..46d7cc0717 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/AmbariManagementControllerImpl.java @@ -245,6 +245,7 @@ import org.apache.commons.collections.MapUtils; import org.apache.commons.lang.BooleanUtils; import org.apache.commons.lang.StringUtils; import org.apache.commons.lang.math.NumberUtils; +import org.apache.commons.text.StringEscapeUtils; import org.apache.http.HttpStatus; import org.apache.http.client.utils.URIBuilder; import org.slf4j.Logger; @@ -4084,7 +4085,7 @@ public class AmbariManagementControllerImpl implements AmbariManagementControlle String requestContext = ""; if (requestProperties != null) { - requestContext = requestProperties.get(REQUEST_CONTEXT_PROPERTY); + requestContext = StringEscapeUtils.escapeHtml4(requestProperties.get(REQUEST_CONTEXT_PROPERTY)); if (requestContext == null) { // guice needs a non-null value as there is no way to mark this parameter @Nullable requestContext = ""; diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java index 6489ecf8e3..2483a8fc3c 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/AlertTargetResourceProvider.java @@ -53,6 +53,7 @@ import org.apache.ambari.server.state.AlertState; import org.apache.ambari.server.state.alert.AlertGroup; import org.apache.ambari.server.state.alert.AlertTarget; import org.apache.commons.lang.StringUtils; +import org.apache.commons.text.StringEscapeUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -275,7 +276,7 @@ public class AlertTargetResourceProvider extends private void createAlertTargets(Set<Map<String, Object>> requestMaps, Map<String, String> requestInfoProps) throws AmbariException { for (Map<String, Object> requestMap : requestMaps) { - String name = (String) requestMap.get(ALERT_TARGET_NAME); + String name = StringEscapeUtils.escapeHtml4((String) requestMap.get(ALERT_TARGET_NAME)); String description = (String) requestMap.get(ALERT_TARGET_DESCRIPTION); String notificationType = (String) requestMap.get(ALERT_TARGET_NOTIFICATION_TYPE); Collection<String> alertStates = (Collection<String>) requestMap.get(ALERT_TARGET_STATES); diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RequestResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RequestResourceProvider.java index d5222d203b..6efc8d6f49 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RequestResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/RequestResourceProvider.java @@ -75,6 +75,7 @@ import org.apache.ambari.server.topology.LogicalRequest; import org.apache.ambari.server.topology.TopologyManager; import org.apache.ambari.server.utils.SecretReference; import org.apache.commons.lang.StringUtils; +import org.apache.commons.text.StringEscapeUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -431,7 +432,7 @@ public class RequestResourceProvider extends AbstractControllerResourceProvider // in this case it will be mapped to HTTP 400 Bad Request requestStatus = HostRoleStatus.valueOf(requestStatusStr); } - String abortReason = (String) propertyMap.get(REQUEST_ABORT_REASON_PROPERTY_ID); + String abortReason = StringEscapeUtils.escapeHtml4((String) propertyMap.get(REQUEST_ABORT_REASON_PROPERTY_ID)); String removePendingHostRequests = (String) propertyMap.get(REQUEST_REMOVE_PENDING_HOST_REQUESTS_ID); RequestRequest requestRequest = new RequestRequest(clusterNameStr, requestId); diff --git a/ambari-server/src/main/resources/custom_actions/scripts/check_host.py b/ambari-server/src/main/resources/custom_actions/scripts/check_host.py index f3a72a610c..5dc3f44d84 100644 --- a/ambari-server/src/main/resources/custom_actions/scripts/check_host.py +++ b/ambari-server/src/main/resources/custom_actions/scripts/check_host.py @@ -40,6 +40,7 @@ from ambari_commons.constants import AMBARI_SUDO_BINARY from resource_management.core import shell from resource_management.core.logger import Logger from resource_management.core.utils import PasswordString +from shlex import split # WARNING. If you are adding a new host check that is used by cleanup, add it to BEFORE_CLEANUP_HOST_CHECKS @@ -454,7 +455,7 @@ class CheckHost(Script): db_connection_check_command = "LD_LIBRARY_PATH=$LD_LIBRARY_PATH:{0}{1} {2}".format(agent_cache_dir, LIBS_PATH_IN_ARCHIVE_SQLA, db_connection_check_command) - code, out = shell.call(db_connection_check_command) + code, out = shell.call(split(db_connection_check_command, comments=True), shell=False) if code == 0: db_connection_check_structured_output = {"exit_code" : 0, "message": "DB connection check completed successfully!" } diff --git a/contrib/views/capacity-scheduler/src/main/resources/ui/app/components/diffTooltip.js b/contrib/views/capacity-scheduler/src/main/resources/ui/app/components/diffTooltip.js index 1f26c2b389..7655d60df8 100644 --- a/contrib/views/capacity-scheduler/src/main/resources/ui/app/components/diffTooltip.js +++ b/contrib/views/capacity-scheduler/src/main/resources/ui/app/components/diffTooltip.js @@ -52,8 +52,8 @@ App.DiffTooltipComponent = Em.Component.extend({ caption += fmtString.fmt( [prefix,item].compact().join('.'), - (oldV != null && '\'%@\''.fmt(oldV)) || emptyValue, - (newV != null && '\'%@\''.fmt(newV)) || emptyValue + Handlebars.Utils.escapeExpression((oldV != null && '\'%@\''.fmt(oldV))) || emptyValue, + Handlebars.Utils.escapeExpression((newV != null && '\'%@\''.fmt(newV))) || emptyValue ); }, initialLabels, @@ -79,7 +79,7 @@ App.DiffTooltipComponent = Em.Component.extend({ oldV = ((isAllChanged && changes._accessAllLabels.objectAt(0)) || (queue.get('accessAllLabels') && !isAllChanged))?'*':initialLabels.map(idsToNames).join(',') || emptyValue; newV = ((isAllChanged && changes._accessAllLabels.objectAt(1)) || (queue.get('accessAllLabels') && !isAllChanged))?'*':currentLabels.map(idsToNames).join(',') || emptyValue; - caption += fmtString.fmt('accessible-node-labels', oldV, newV); + caption += fmtString.fmt('accessible-node-labels', Handlebars.Utils.escapeExpression(oldV), Handlebars.Utils.escapeExpression(newV)); } queue.get('labels').forEach(function (label) { diff --git a/contrib/views/capacity-scheduler/src/main/resources/ui/app/helpers/escapeAcl.js b/contrib/views/capacity-scheduler/src/main/resources/ui/app/helpers/escapeAcl.js index 125b037357..b8af22c0fa 100644 --- a/contrib/views/capacity-scheduler/src/main/resources/ui/app/helpers/escapeAcl.js +++ b/contrib/views/capacity-scheduler/src/main/resources/ui/app/helpers/escapeAcl.js @@ -20,7 +20,7 @@ Ember.Handlebars.helper('escapeACL', function(value) { var output = ''; - value = value || ''; + value = Handlebars.Utils.escapeExpression(value || ''); if (value.trim() == '') { output = '<span class="label label-danger"> <i class="fa fa-ban fa-fw"></i> Nobody </span> '; --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@ambari.apache.org For additional commands, e-mail: commits-h...@ambari.apache.org