This is an automated email from the ASF dual-hosted git repository.
luoc pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/drill.git
The following commit(s) were added to refs/heads/master by this push:
new 47f6077 DRILL-7976: Fix XSS Vulnerability (#2279)
47f6077 is described below
commit 47f60779e8490985093dd4e7aac2407406c502ae
Author: Charles S. Givre <[email protected]>
AuthorDate: Sat Jul 24 20:53:11 2021 -0400
DRILL-7976: Fix XSS Vulnerability (#2279)
---
exec/java-exec/pom.xml | 5 +++++
.../drill/exec/server/rest/profile/ProfileResources.java | 13 +++++++++----
exec/jdbc-all/pom.xml | 4 ++++
3 files changed, 18 insertions(+), 4 deletions(-)
diff --git a/exec/java-exec/pom.xml b/exec/java-exec/pom.xml
index 79860d2..a022c7a 100644
--- a/exec/java-exec/pom.xml
+++ b/exec/java-exec/pom.xml
@@ -52,6 +52,11 @@
</exclusions>
</dependency>
<dependency>
+ <groupId>org.owasp.encoder</groupId>
+ <artifactId>encoder</artifactId>
+ <version>1.2.3</version>
+ </dependency>
+ <dependency>
<groupId>org.apache.kerby</groupId>
<artifactId>kerb-client</artifactId>
<version>${kerby.version}</version>
diff --git
a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/profile/ProfileResources.java
b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/profile/ProfileResources.java
index b5e77b3..288df87 100644
---
a/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/profile/ProfileResources.java
+++
b/exec/java-exec/src/main/java/org/apache/drill/exec/server/rest/profile/ProfileResources.java
@@ -68,6 +68,8 @@ import
org.apache.drill.shaded.guava.com.google.common.collect.Lists;
import org.apache.drill.shaded.guava.com.google.common.cache.Cache;
import org.apache.drill.shaded.guava.com.google.common.cache.CacheBuilder;
+import static org.owasp.encoder.Encode.forHtml;
+
@Path("/")
@RolesAllowed(DrillUserPrincipal.AUTHENTICATED_ROLE)
public class ProfileResources {
@@ -438,9 +440,12 @@ public class ProfileResources {
QueryId id = QueryIdHelper.getQueryIdFromString(queryId);
+ // Prevent XSS
+ String encodedQueryID = forHtml(queryId);
+
// first check local running
if (work.getBee().cancelForeman(id, principal)) {
- return String.format("Cancelled query %s on locally running node.",
queryId);
+ return String.format("Cancelled query %s on locally running node.",
encodedQueryID);
}
// then check remote running
@@ -450,14 +455,14 @@ public class ProfileResources {
checkOrThrowQueryCancelAuthorization(info.getUser(), queryId);
Ack a =
work.getContext().getController().getTunnel(info.getForeman()).requestCancelQuery(id).checkedGet(2,
TimeUnit.SECONDS);
if(a.getOk()){
- return String.format("Query %s canceled on node %s.", queryId,
info.getForeman().getAddress());
+ return String.format("Query %s canceled on node %s.", encodedQueryID,
info.getForeman().getAddress());
}else{
- return String.format("Attempted to cancel query %s on %s but the query
is no longer active on that node.", queryId, info.getForeman().getAddress());
+ return String.format("Attempted to cancel query %s on %s but the query
is no longer active on that node.", encodedQueryID,
info.getForeman().getAddress());
}
}catch(Exception e){
logger.debug("Failure to find query as running profile.", e);
return String.format
- ("Failure attempting to cancel query %s. Unable to find information
about where query is actively running.", queryId);
+ ("Failure attempting to cancel query %s. Unable to find information
about where query is actively running.", encodedQueryID);
}
}
diff --git a/exec/jdbc-all/pom.xml b/exec/jdbc-all/pom.xml
index cf5614e..73c34ca 100644
--- a/exec/jdbc-all/pom.xml
+++ b/exec/jdbc-all/pom.xml
@@ -176,6 +176,10 @@
<groupId>org.honton.chas.hocon</groupId>
<artifactId>jackson-dataformat-hocon</artifactId>
</exclusion>
+ <exclusion>
+ <groupId>org.owasp.encoder</groupId>
+ <artifactId>encoder</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
