(ambari) 01/02: fix xss vulnerability. Contributed by Nikhil Daf .

Mon, 28 Oct 2024 18:32:12 -0700 

This is an automated email from the ASF dual-hosted git repository.

jialiang pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ambari.git

commit 8122a0084f46501a7314454436e79209f5e5ec9a
Author: Brahma Reddy Battula <[email protected]>
AuthorDate: Sun Dec 17 23:00:51 2023 +0530

    fix xss vulnerability. Contributed by Nikhil Daf <[email protected]>.
    
    (cherry picked from commit 3c8cc171c55ca1a4ee24badefc527e4cbafd7bf4)
---
 .../internal/WidgetResourceProvider.java           | 27 +++++++++++++++++-----
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/WidgetResourceProvider.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/WidgetResourceProvider.java
index 751cfee63a..3b4b5c9069 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/WidgetResourceProvider.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/WidgetResourceProvider.java
@@ -49,11 +49,17 @@ import 
org.apache.ambari.server.security.authorization.AuthorizationHelper;
 import org.apache.ambari.server.security.authorization.ResourceType;
 import org.apache.commons.lang.ObjectUtils;
 import org.apache.commons.lang.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
 import org.springframework.security.access.AccessDeniedException;
 
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import com.google.gson.JsonSerializer;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonSerializationContext;
+import com.google.gson.JsonPrimitive;
 import com.google.inject.Inject;
 
 /**
@@ -112,8 +118,17 @@ public class WidgetResourceProvider extends 
AbstractControllerResourceProvider {
   @Inject
   private static WidgetDAO widgetDAO;
 
-  @Inject
-  private static Gson gson;
+  private static Gson gson = new 
GsonBuilder().enableComplexMapKeySerialization().disableHtmlEscaping()
+          .serializeNulls().setPrettyPrinting().registerTypeAdapter(
+                  String.class,
+                  new JsonSerializer<String>(){
+                    @Override
+                    public JsonElement serialize(String src, 
java.lang.reflect.Type typeOfSrc, JsonSerializationContext context) {
+                      return new 
JsonPrimitive(StringEscapeUtils.escapeHtml4(src));
+                    }
+                  })
+          .create();
+
 
   /**
    * Create a new resource provider.
@@ -156,7 +171,7 @@ public class WidgetResourceProvider extends 
AbstractControllerResourceProvider {
             throw new AccessDeniedException("Only cluster operator can create 
widgets with cluster scope");
           }
 
-          
entity.setWidgetName(properties.get(WIDGET_WIDGET_NAME_PROPERTY_ID).toString());
+          
entity.setWidgetName(StringEscapeUtils.escapeHtml4(properties.get(WIDGET_WIDGET_NAME_PROPERTY_ID).toString()));
           
entity.setWidgetType(properties.get(WIDGET_WIDGET_TYPE_PROPERTY_ID).toString());
           
entity.setClusterId(getManagementController().getClusters().getCluster(clusterName).getClusterId());
           entity.setScope(scope);
@@ -168,7 +183,7 @@ public class WidgetResourceProvider extends 
AbstractControllerResourceProvider {
           entity.setAuthor(getAuthorName(properties));
 
           String description = 
(properties.containsKey(WIDGET_DESCRIPTION_PROPERTY_ID)) ?
-                  properties.get(WIDGET_DESCRIPTION_PROPERTY_ID).toString() : 
null;
+                  
StringEscapeUtils.escapeHtml4(properties.get(WIDGET_DESCRIPTION_PROPERTY_ID).toString())
 : null;
           entity.setDescription(description);
 
           String values = (properties.containsKey(WIDGET_VALUES_PROPERTY_ID)) ?
@@ -286,7 +301,7 @@ public class WidgetResourceProvider extends 
AbstractControllerResourceProvider {
           }
 
           if 
(StringUtils.isNotBlank(ObjectUtils.toString(propertyMap.get(WIDGET_WIDGET_NAME_PROPERTY_ID))))
 {
-            
entity.setWidgetName(propertyMap.get(WIDGET_WIDGET_NAME_PROPERTY_ID).toString());
+            
entity.setWidgetName(StringEscapeUtils.escapeHtml4(propertyMap.get(WIDGET_WIDGET_NAME_PROPERTY_ID).toString()));
           }
 
           if 
(StringUtils.isNotBlank(ObjectUtils.toString(propertyMap.get(WIDGET_WIDGET_TYPE_PROPERTY_ID))))
 {
@@ -300,7 +315,7 @@ public class WidgetResourceProvider extends 
AbstractControllerResourceProvider {
           entity.setAuthor(getAuthorName(propertyMap));
 
           if 
(StringUtils.isNotBlank(ObjectUtils.toString(propertyMap.get(WIDGET_DESCRIPTION_PROPERTY_ID))))
 {
-            
entity.setDescription(propertyMap.get(WIDGET_DESCRIPTION_PROPERTY_ID).toString());
+            
entity.setDescription(StringEscapeUtils.escapeHtml4(propertyMap.get(WIDGET_DESCRIPTION_PROPERTY_ID).toString()));
           }
 
           if 
(StringUtils.isNotBlank(ObjectUtils.toString(propertyMap.get(WIDGET_SCOPE_PROPERTY_ID))))
 {


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to