GitHub user n-marion opened a pull request:
https://github.com/apache/spark/pull/17686
[SPARK-20393][Webu UI] Strengthen Spark to prevent XSS vulnerabilities
## What changes were proposed in this pull request?
Add stripXSS and stripXSSMap to Spark Core's UIUtils. Calling these
functions at any point that getParameter is called against a HttpServletRequest.
## How was this patch tested?
Unit tests, IBM Security AppScan Standard no longer showing
vulnerabilities, manual verification of WebUI pages.
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/n-marion/spark xss-fix
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/spark/pull/17686.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #17686
----
commit 6bdc629380f9e0b65700b5ebe47e35e257f6ddae
Author: NICHOLAS T. MARION <[email protected]>
Date: 2017-04-10T15:14:09Z
UIUtils.stripXSS added for each page calling request.getParameter.
commit c812f2ecfb6d9c22362e72914a1f454aaf49d2ba
Author: NICHOLAS T. MARION <[email protected]>
Date: 2017-04-10T15:52:38Z
Perform stripXSS on creation of allParameters mapping
commit 06a67914d72618c5f3a0bc70e7576863c9872a0c
Author: NICHOLAS T. MARION <[email protected]>
Date: 2017-04-11T20:39:01Z
getParameterMap returns Array[String], created new function to handle
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
