This is an automated email from the ASF dual-hosted git repository. brahma pushed a commit to branch branch-2.7 in repository https://gitbox.apache.org/repos/asf/ambari.git
The following commit(s) were added to refs/heads/branch-2.7 by this push: new 3c8cc171c5 fix xss vulnerability. Contributed by Nikhil Daf <nikhil....@microsoft.com>. 3c8cc171c5 is described below commit 3c8cc171c55ca1a4ee24badefc527e4cbafd7bf4 Author: Brahma Reddy Battula <bra...@apache.org> AuthorDate: Sun Dec 17 23:00:51 2023 +0530 fix xss vulnerability. Contributed by Nikhil Daf <nikhil....@microsoft.com>. --- .../internal/WidgetResourceProvider.java | 27 +++++++++++++++++----- 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/WidgetResourceProvider.java b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/WidgetResourceProvider.java index 93042e4da0..2aec279152 100644 --- a/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/WidgetResourceProvider.java +++ b/ambari-server/src/main/java/org/apache/ambari/server/controller/internal/WidgetResourceProvider.java @@ -49,9 +49,15 @@ import org.apache.ambari.server.security.authorization.AuthorizationHelper; import org.apache.ambari.server.security.authorization.ResourceType; import org.apache.commons.lang.ObjectUtils; import org.apache.commons.lang.StringUtils; +import org.apache.commons.text.StringEscapeUtils; import org.springframework.security.access.AccessDeniedException; import com.google.gson.Gson; +import com.google.gson.GsonBuilder; +import com.google.gson.JsonSerializer; +import com.google.gson.JsonElement; +import com.google.gson.JsonSerializationContext; +import com.google.gson.JsonPrimitive; import com.google.inject.Inject; /** @@ -116,8 +122,17 @@ public class WidgetResourceProvider extends AbstractControllerResourceProvider { @Inject private static WidgetDAO widgetDAO; - @Inject - private static Gson gson; + private static Gson gson = new GsonBuilder().enableComplexMapKeySerialization().disableHtmlEscaping() + .serializeNulls().setPrettyPrinting().registerTypeAdapter( + String.class, + new JsonSerializer<String>(){ + @Override + public JsonElement serialize(String src, java.lang.reflect.Type typeOfSrc, JsonSerializationContext context) { + return new JsonPrimitive(StringEscapeUtils.escapeHtml4(src)); + } + }) + .create(); + /** * Create a new resource provider. @@ -160,7 +175,7 @@ public class WidgetResourceProvider extends AbstractControllerResourceProvider { throw new AccessDeniedException("Only cluster operator can create widgets with cluster scope"); } - entity.setWidgetName(properties.get(WIDGET_WIDGET_NAME_PROPERTY_ID).toString()); + entity.setWidgetName(StringEscapeUtils.escapeHtml4(properties.get(WIDGET_WIDGET_NAME_PROPERTY_ID).toString())); entity.setWidgetType(properties.get(WIDGET_WIDGET_TYPE_PROPERTY_ID).toString()); entity.setClusterId(getManagementController().getClusters().getCluster(clusterName).getClusterId()); entity.setScope(scope); @@ -172,7 +187,7 @@ public class WidgetResourceProvider extends AbstractControllerResourceProvider { entity.setAuthor(getAuthorName(properties)); String description = (properties.containsKey(WIDGET_DESCRIPTION_PROPERTY_ID)) ? - properties.get(WIDGET_DESCRIPTION_PROPERTY_ID).toString() : null; + StringEscapeUtils.escapeHtml4(properties.get(WIDGET_DESCRIPTION_PROPERTY_ID).toString()) : null; entity.setDescription(description); String values = (properties.containsKey(WIDGET_VALUES_PROPERTY_ID)) ? @@ -290,7 +305,7 @@ public class WidgetResourceProvider extends AbstractControllerResourceProvider { } if (StringUtils.isNotBlank(ObjectUtils.toString(propertyMap.get(WIDGET_WIDGET_NAME_PROPERTY_ID)))) { - entity.setWidgetName(propertyMap.get(WIDGET_WIDGET_NAME_PROPERTY_ID).toString()); + entity.setWidgetName(StringEscapeUtils.escapeHtml4(propertyMap.get(WIDGET_WIDGET_NAME_PROPERTY_ID).toString())); } if (StringUtils.isNotBlank(ObjectUtils.toString(propertyMap.get(WIDGET_WIDGET_TYPE_PROPERTY_ID)))) { @@ -304,7 +319,7 @@ public class WidgetResourceProvider extends AbstractControllerResourceProvider { entity.setAuthor(getAuthorName(propertyMap)); if (StringUtils.isNotBlank(ObjectUtils.toString(propertyMap.get(WIDGET_DESCRIPTION_PROPERTY_ID)))) { - entity.setDescription(propertyMap.get(WIDGET_DESCRIPTION_PROPERTY_ID).toString()); + entity.setDescription(StringEscapeUtils.escapeHtml4(propertyMap.get(WIDGET_DESCRIPTION_PROPERTY_ID).toString())); } if (StringUtils.isNotBlank(ObjectUtils.toString(propertyMap.get(WIDGET_SCOPE_PROPERTY_ID)))) { --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@ambari.apache.org For additional commands, e-mail: commits-h...@ambari.apache.org