(ambari) branch branch-2.7 updated: fix xss vulnerability. Contributed by Nikhil Daf .

Sun, 17 Dec 2023 09:32:21 -0800 

This is an automated email from the ASF dual-hosted git repository.

brahma pushed a commit to branch branch-2.7
in repository https://gitbox.apache.org/repos/asf/ambari.git


The following commit(s) were added to refs/heads/branch-2.7 by this push:
     new 3c8cc171c5 fix xss vulnerability. Contributed by Nikhil Daf 
<nikhil....@microsoft.com>.
3c8cc171c5 is described below

commit 3c8cc171c55ca1a4ee24badefc527e4cbafd7bf4
Author: Brahma Reddy Battula <bra...@apache.org>
AuthorDate: Sun Dec 17 23:00:51 2023 +0530

    fix xss vulnerability. Contributed by Nikhil Daf <nikhil....@microsoft.com>.
---
 .../internal/WidgetResourceProvider.java           | 27 +++++++++++++++++-----
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/WidgetResourceProvider.java
 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/WidgetResourceProvider.java
index 93042e4da0..2aec279152 100644
--- 
a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/WidgetResourceProvider.java
+++ 
b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/WidgetResourceProvider.java
@@ -49,9 +49,15 @@ import 
org.apache.ambari.server.security.authorization.AuthorizationHelper;
 import org.apache.ambari.server.security.authorization.ResourceType;
 import org.apache.commons.lang.ObjectUtils;
 import org.apache.commons.lang.StringUtils;
+import org.apache.commons.text.StringEscapeUtils;
 import org.springframework.security.access.AccessDeniedException;
 
 import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import com.google.gson.JsonSerializer;
+import com.google.gson.JsonElement;
+import com.google.gson.JsonSerializationContext;
+import com.google.gson.JsonPrimitive;
 import com.google.inject.Inject;
 
 /**
@@ -116,8 +122,17 @@ public class WidgetResourceProvider extends 
AbstractControllerResourceProvider {
   @Inject
   private static WidgetDAO widgetDAO;
 
-  @Inject
-  private static Gson gson;
+  private static Gson gson = new 
GsonBuilder().enableComplexMapKeySerialization().disableHtmlEscaping()
+          .serializeNulls().setPrettyPrinting().registerTypeAdapter(
+                  String.class,
+                  new JsonSerializer<String>(){
+                    @Override
+                    public JsonElement serialize(String src, 
java.lang.reflect.Type typeOfSrc, JsonSerializationContext context) {
+                      return new 
JsonPrimitive(StringEscapeUtils.escapeHtml4(src));
+                    }
+                  })
+          .create();
+
 
   /**
    * Create a new resource provider.
@@ -160,7 +175,7 @@ public class WidgetResourceProvider extends 
AbstractControllerResourceProvider {
             throw new AccessDeniedException("Only cluster operator can create 
widgets with cluster scope");
           }
 
-          
entity.setWidgetName(properties.get(WIDGET_WIDGET_NAME_PROPERTY_ID).toString());
+          
entity.setWidgetName(StringEscapeUtils.escapeHtml4(properties.get(WIDGET_WIDGET_NAME_PROPERTY_ID).toString()));
           
entity.setWidgetType(properties.get(WIDGET_WIDGET_TYPE_PROPERTY_ID).toString());
           
entity.setClusterId(getManagementController().getClusters().getCluster(clusterName).getClusterId());
           entity.setScope(scope);
@@ -172,7 +187,7 @@ public class WidgetResourceProvider extends 
AbstractControllerResourceProvider {
           entity.setAuthor(getAuthorName(properties));
 
           String description = 
(properties.containsKey(WIDGET_DESCRIPTION_PROPERTY_ID)) ?
-                  properties.get(WIDGET_DESCRIPTION_PROPERTY_ID).toString() : 
null;
+                  
StringEscapeUtils.escapeHtml4(properties.get(WIDGET_DESCRIPTION_PROPERTY_ID).toString())
 : null;
           entity.setDescription(description);
 
           String values = (properties.containsKey(WIDGET_VALUES_PROPERTY_ID)) ?
@@ -290,7 +305,7 @@ public class WidgetResourceProvider extends 
AbstractControllerResourceProvider {
           }
 
           if 
(StringUtils.isNotBlank(ObjectUtils.toString(propertyMap.get(WIDGET_WIDGET_NAME_PROPERTY_ID))))
 {
-            
entity.setWidgetName(propertyMap.get(WIDGET_WIDGET_NAME_PROPERTY_ID).toString());
+            
entity.setWidgetName(StringEscapeUtils.escapeHtml4(propertyMap.get(WIDGET_WIDGET_NAME_PROPERTY_ID).toString()));
           }
 
           if 
(StringUtils.isNotBlank(ObjectUtils.toString(propertyMap.get(WIDGET_WIDGET_TYPE_PROPERTY_ID))))
 {
@@ -304,7 +319,7 @@ public class WidgetResourceProvider extends 
AbstractControllerResourceProvider {
           entity.setAuthor(getAuthorName(propertyMap));
 
           if 
(StringUtils.isNotBlank(ObjectUtils.toString(propertyMap.get(WIDGET_DESCRIPTION_PROPERTY_ID))))
 {
-            
entity.setDescription(propertyMap.get(WIDGET_DESCRIPTION_PROPERTY_ID).toString());
+            
entity.setDescription(StringEscapeUtils.escapeHtml4(propertyMap.get(WIDGET_DESCRIPTION_PROPERTY_ID).toString()));
           }
 
           if 
(StringUtils.isNotBlank(ObjectUtils.toString(propertyMap.get(WIDGET_SCOPE_PROPERTY_ID))))
 {


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@ambari.apache.org
For additional commands, e-mail: commits-h...@ambari.apache.org

Reply via email to