Repository: oozie Updated Branches: refs/heads/master 2f6bced4f -> f638381da
OOZIE-3109 [log-streaming] Escape HTML-specific characters (dionusos via andras.piros) Project: http://git-wip-us.apache.org/repos/asf/oozie/repo Commit: http://git-wip-us.apache.org/repos/asf/oozie/commit/f638381d Tree: http://git-wip-us.apache.org/repos/asf/oozie/tree/f638381d Diff: http://git-wip-us.apache.org/repos/asf/oozie/diff/f638381d Branch: refs/heads/master Commit: f638381dacf5d0720f9f1f9786ea30d4493ada2a Parents: 2f6bced Author: Andras Piros <[email protected]> Authored: Mon Jul 2 10:51:31 2018 +0200 Committer: Andras Piros <[email protected]> Committed: Mon Jul 2 10:51:31 2018 +0200 ---------------------------------------------------------------------- .../oozie/service/XLogStreamingService.java | 3 ++- .../oozie/service/ZKXLogStreamingService.java | 12 +++++---- .../oozie/util/TimestampedMessageParser.java | 3 ++- .../org/apache/oozie/util/XLogStreamer.java | 5 ++-- .../oozie/service/TestXLogStreamingService.java | 27 ++++++++++++++++++++ release-log.txt | 1 + 6 files changed, 42 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/oozie/blob/f638381d/core/src/main/java/org/apache/oozie/service/XLogStreamingService.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/oozie/service/XLogStreamingService.java b/core/src/main/java/org/apache/oozie/service/XLogStreamingService.java index 3cfbeac..f841425 100644 --- a/core/src/main/java/org/apache/oozie/service/XLogStreamingService.java +++ b/core/src/main/java/org/apache/oozie/service/XLogStreamingService.java @@ -18,6 +18,7 @@ package org.apache.oozie.service; +import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang.StringUtils; import org.apache.oozie.util.Instrumentable; import org.apache.oozie.util.Instrumentation; @@ -92,7 +93,7 @@ public class XLogStreamingService implements Service, Instrumentable { protected void streamLog(XLogStreamer logStreamer, Date startTime, Date endTime, Writer writer, boolean appendDebug) throws IOException { if (!logStreamer.isLogEnabled()) { - writer.write(logStreamer.getLogDisableMessage()); + writer.write(StringEscapeUtils.escapeHtml(logStreamer.getLogDisableMessage())); return; } logStreamer.streamLog(writer, startTime, endTime, appendDebug); http://git-wip-us.apache.org/repos/asf/oozie/blob/f638381d/core/src/main/java/org/apache/oozie/service/ZKXLogStreamingService.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/oozie/service/ZKXLogStreamingService.java b/core/src/main/java/org/apache/oozie/service/ZKXLogStreamingService.java index 3a5081c..9aa3276 100644 --- a/core/src/main/java/org/apache/oozie/service/ZKXLogStreamingService.java +++ b/core/src/main/java/org/apache/oozie/service/ZKXLogStreamingService.java @@ -27,6 +27,7 @@ import java.util.List; import java.util.Map; import java.util.TreeMap; +import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang.StringUtils; import org.apache.curator.x.discovery.ServiceInstance; import org.apache.oozie.ErrorCode; @@ -103,7 +104,7 @@ public class ZKXLogStreamingService extends XLogStreamingService implements Serv public void streamLog(XLogStreamer logStreamer, Date startTime, Date endTime, Writer writer) throws IOException { if (!logStreamer.isLogEnabled()) { - writer.write(logStreamer.getLogDisableMessage()); + writer.write(StringEscapeUtils.escapeHtml(logStreamer.getLogDisableMessage())); return; } // If ALL_SERVERS_PARAM is set to false, then only stream our log @@ -187,11 +188,11 @@ public class ZKXLogStreamingService extends XLogStreamingService implements Serv //If log param debug is set, we need to write start date and end date to outputstream. if(!StringUtils.isEmpty(logStreamer.getXLogFilter().getTruncatedMessage())){ - writer.write(logStreamer.getXLogFilter().getTruncatedMessage()); + writer.write(StringEscapeUtils.escapeHtml(logStreamer.getXLogFilter().getTruncatedMessage())); } if (logStreamer.getXLogFilter().isDebugMode()) { - writer.write(logStreamer.getXLogFilter().getDebugMessage()); + writer.write(StringEscapeUtils.escapeHtml(logStreamer.getXLogFilter().getDebugMessage())); } // Add a message about any servers we couldn't contact if (!badOozies.isEmpty()) { @@ -226,7 +227,7 @@ public class ZKXLogStreamingService extends XLogStreamingService implements Serv // The first entry will be the earliest based on the timestamp (also removes it) from the map TimestampedMessageParser earliestParser = timestampMap.pollFirstEntry().getValue(); // Write the message from that parser at that timestamp - writer.write(earliestParser.getLastMessage()); + writer.write(StringEscapeUtils.escapeHtml(earliestParser.getLastMessage())); if (logStreamer.shouldFlushOutput(earliestParser.getLastMessage().length())) { writer.flush(); } @@ -239,7 +240,8 @@ public class ZKXLogStreamingService extends XLogStreamingService implements Serv // If there's only one parser left in the map, then we can simply copy the rest of its lines directly to be faster if (timestampMap.size() == 1) { TimestampedMessageParser parser = timestampMap.values().iterator().next(); - writer.write(parser.getLastMessage()); // don't forget the last message read by the parser + // don't forget the last message read by the parser + writer.write(StringEscapeUtils.escapeHtml(parser.getLastMessage())); parser.processRemaining(writer, logStreamer); } } http://git-wip-us.apache.org/repos/asf/oozie/blob/f638381d/core/src/main/java/org/apache/oozie/util/TimestampedMessageParser.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/oozie/util/TimestampedMessageParser.java b/core/src/main/java/org/apache/oozie/util/TimestampedMessageParser.java index 1b87605..5c71ea1 100644 --- a/core/src/main/java/org/apache/oozie/util/TimestampedMessageParser.java +++ b/core/src/main/java/org/apache/oozie/util/TimestampedMessageParser.java @@ -24,6 +24,7 @@ import java.io.Writer; import java.util.ArrayList; import java.util.regex.Pattern; +import org.apache.commons.lang.StringEscapeUtils; import org.apache.oozie.service.Services; import org.apache.oozie.service.XLogStreamingService; import org.apache.oozie.util.LogLine.MATCHED_PATTERN; @@ -204,7 +205,7 @@ public class TimestampedMessageParser { */ public void processRemaining(Writer writer, XLogStreamer logStreamer) throws IOException { while (increment()) { - writer.write(lastMessage); + writer.write(StringEscapeUtils.escapeHtml(lastMessage)); if (logStreamer.shouldFlushOutput(lastMessage.length())) { writer.flush(); } http://git-wip-us.apache.org/repos/asf/oozie/blob/f638381d/core/src/main/java/org/apache/oozie/util/XLogStreamer.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/oozie/util/XLogStreamer.java b/core/src/main/java/org/apache/oozie/util/XLogStreamer.java index f0291af..6edfa22 100644 --- a/core/src/main/java/org/apache/oozie/util/XLogStreamer.java +++ b/core/src/main/java/org/apache/oozie/util/XLogStreamer.java @@ -30,6 +30,7 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; import java.io.BufferedReader; +import org.apache.commons.lang.StringEscapeUtils; import org.apache.commons.lang.StringUtils; import org.apache.oozie.client.rest.RestConstants; import org.apache.oozie.command.CommandException; @@ -114,10 +115,10 @@ public class XLogStreamer { try { if (appendDebug) { if (!StringUtils.isEmpty(logFilter.getTruncatedMessage())) { - writer.write(logFilter.getTruncatedMessage()); + writer.write(StringEscapeUtils.escapeHtml(logFilter.getTruncatedMessage())); } if (logFilter.isDebugMode()) { - writer.write(logFilter.getDebugMessage()); + writer.write(StringEscapeUtils.escapeHtml(logFilter.getDebugMessage())); } } // Process the entire logs from the reader using the logFilter http://git-wip-us.apache.org/repos/asf/oozie/blob/f638381d/core/src/test/java/org/apache/oozie/service/TestXLogStreamingService.java ---------------------------------------------------------------------- diff --git a/core/src/test/java/org/apache/oozie/service/TestXLogStreamingService.java b/core/src/test/java/org/apache/oozie/service/TestXLogStreamingService.java index 1921f1b..5759211 100644 --- a/core/src/test/java/org/apache/oozie/service/TestXLogStreamingService.java +++ b/core/src/test/java/org/apache/oozie/service/TestXLogStreamingService.java @@ -413,6 +413,33 @@ public class TestXLogStreamingService extends XTestCase { assertFalse(log.contains("Truncated logs to max log scan duration")); } + public void testEscapingHtmlCharacters() throws Exception{ + setupXLog(); + XLogFilter xf = new XLogFilter(new XLogUserFilterParam(null)); + xf.setParameter("USER", "oozie"); + xf.setLogLevel("DEBUG|INFO"); + File log4jFile = new File(getTestCaseConfDir(), "test-log4j.properties"); + ClassLoader cl = Thread.currentThread().getContextClassLoader(); + InputStream is = cl.getResourceAsStream("test-no-dash-log4j.properties"); + Properties log4jProps = new Properties(); + log4jProps.load(is); + // prevent conflicts with other tests by changing the log file location + log4jProps.setProperty("log4j.appender.oozie.File", getTestCaseDir() + "/oozie.log"); + log4jProps.store(new FileOutputStream(log4jFile), ""); + setSystemProperty(XLogService.LOG4J_FILE, log4jFile.getName()); + try { + new Services().init(); + assertFalse(doStreamDisabledCheck()); + LogFactory.getLog("a").info("2009-06-24 02:43:14,505 INFO _L1_:317 - SERVER[foo] USER[oozie] GROUP[oozie] TOKEN[-] " + + "APP[-] JOB[-] ACTION[-] <script>function({Some malicious JS code});</script>"); + String out = doStreamLog(xf); + assertFalse(out.contains("<script>")); + } + finally { + Services.get().destroy(); + } + } + private boolean doStreamDisabledCheckWithServices() throws Exception { boolean result = false; try { http://git-wip-us.apache.org/repos/asf/oozie/blob/f638381d/release-log.txt ---------------------------------------------------------------------- diff --git a/release-log.txt b/release-log.txt index 5bb8fad..53bcd24 100644 --- a/release-log.txt +++ b/release-log.txt @@ -1,5 +1,6 @@ -- Oozie 5.1.0 release (trunk - unreleased) +OOZIE-3109 [log-streaming] Escape HTML-specific characters (dionusos via andras.piros) OOZIE-2956 Fix Findbugs warnings related to reliance on default encoding in oozie-core (Jan Hentschel, kmarton via andras.piros) OOZIE-3295 Flaky test TestSLACalculatorMemory#testAddMultipleRestartRemoveMultipleInstrumentedCorrectly (pbacsko via andras.piros) OOZIE-3289 TestJMSAccessorService#testConnectionRetry is still flaky (pbacsko via andras.piros)
