[drill] 01/05: DRILL-7276: Fixed an XSS vulnerability in Drill Web-UI query profile page

[sachouche]

This is an automated email from the ASF dual-hosted git repository.

sachouche pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/drill.git

commit 5542cc98f38003f028d97f95d257604c91723d70
Author: Anton Gozhiy <anton5...@gmail.com>
AuthorDate: Thu May 23 19:41:45 2019 +0300

    DRILL-7276: Fixed an XSS vulnerability in Drill Web-UI query profile page
---
 exec/java-exec/src/main/resources/rest/alertModals.ftl    | 11 ++++++++++-
 exec/java-exec/src/main/resources/rest/static/js/graph.js |  2 +-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/exec/java-exec/src/main/resources/rest/alertModals.ftl 
b/exec/java-exec/src/main/resources/rest/alertModals.ftl
index 320d96d..17f0275 100644
--- a/exec/java-exec/src/main/resources/rest/alertModals.ftl
+++ b/exec/java-exec/src/main/resources/rest/alertModals.ftl
@@ -62,7 +62,7 @@
         var inputValuesKeys = Object.keys(inputValues);
         for (i=0; i<inputValuesKeys.length; ++i) {
             let currKey=inputValuesKeys[i];
-            updatedHtml=updatedHtml.replace(currKey, inputValues[currKey]);
+            updatedHtml=updatedHtml.replace(currKey, 
escapeHtml(inputValues[currKey]));
         }
         modalBody.innerHTML=updatedHtml;
       }
@@ -70,6 +70,15 @@
       $('#errorModal').modal('show');
     }
 
+    function escapeHtml(str) {
+        return str.replace(/&/g,'&amp;')
+            .replace(/</g,'&lt;')
+            .replace(/>/g,'&gt;')
+            .replace(/"/g,'&quot;')
+            .replace(/'/g,'&#x27;')
+            .replace(/\//g,'&#x2F;');
+    }
+
     //Map of error messages to populate the alert modal
     var errorMap = {
         "userNameMissing": {
diff --git a/exec/java-exec/src/main/resources/rest/static/js/graph.js 
b/exec/java-exec/src/main/resources/rest/static/js/graph.js
index 5801245..81042e8 100644
--- a/exec/java-exec/src/main/resources/rest/static/js/graph.js
+++ b/exec/java-exec/src/main/resources/rest/static/js/graph.js
@@ -390,7 +390,7 @@ $(window).on('load',(function () {
         // add json profile on click
         $('#full-json-profile-json').on('shown.bs.collapse', function (e) {
             if (jsonprofileshown) return;
-            
$('#full-json-profile-json').html(JSON.stringify(globalconfig.profile, null, 
4));
+            
$('#full-json-profile-json').text(JSON.stringify(globalconfig.profile, null, 
4)).html();
         });
 
         //builddomtable(d3.select("#timing-table")