[zeppelin] branch branch-0.8 updated: ZEPPELIN-4335 Deleting a Notebook is vulnerable to XSS attach

Thu, 19 Sep 2019 09:59:10 -0700 

This is an automated email from the ASF dual-hosted git repository.

moon pushed a commit to branch branch-0.8
in repository https://gitbox.apache.org/repos/asf/zeppelin.git


The following commit(s) were added to refs/heads/branch-0.8 by this push:
     new c8eabde  ZEPPELIN-4335 Deleting a Notebook is vulnerable to XSS attach
c8eabde is described below

commit c8eabde13f226fd0647c623e6eb67170768d02d1
Author: Akhil Subhash Naik <asn...@hortonworks.com>
AuthorDate: Thu Sep 19 11:25:40 2019 +0530

    ZEPPELIN-4335 Deleting a Notebook is vulnerable to XSS attach
    
    ### What is this PR for?
    Fix of : ZEPPELIN-4335 Deleting a Notebook is vulnerable to XSS attach
    
    Issue reproduction steps :
    
    1) create a notebook
    2) give the permission to notebook as : <script>alert('hi')</script> (press 
space after writing this, not enter key)
    3) after this, try to delete the notebook, the BootstrapDialog that popups 
stating insufficient privilages is vulnerable to XSS attack
    
    ### What type of PR is it?
    BUG FIX ZEPPELIN-4335
    
    ### What is the Jira issue?
    https://issues.apache.org/jira/browse/ZEPPELIN-4335
    
    ### How should this be tested?
    
    Test as per reproduction steps :
    1) create a notebook
    2) give the permission to notebook as : <script>alert('hi')</script> (press 
space after writing this, not enter key)
    3) after this, try to delete the notebook, the BootstrapDialog that popups 
stating insufficient privilages is vulnerable to XSS attack
    
    ### Questions:
    * Does the licenses files need update? No
    * Is there breaking changes for older versions? No
    * Does this needs documentation? No
    
    Author: Akhil Subhash Naik <asn...@hortonworks.com>
    
    Closes #3452 from Akhilsnaik/ZEPPELIN-4335 and squashes the following 
commits:
    
    95212d846 [Akhil Subhash Naik] ZEPPELIN-4335 Deleting a Notebook is 
vulnerable to XSS attach (asnaik)
    
    (cherry picked from commit f9e2ff8ff8316e973957041b0f213ce7651cab1c)
    Signed-off-by: Lee moon soo <m...@apache.org>
---
 zeppelin-web/src/components/websocket/websocket-event.factory.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/zeppelin-web/src/components/websocket/websocket-event.factory.js 
b/zeppelin-web/src/components/websocket/websocket-event.factory.js
index 8698fdf..dd4f17b 100644
--- a/zeppelin-web/src/components/websocket/websocket-event.factory.js
+++ b/zeppelin-web/src/components/websocket/websocket-event.factory.js
@@ -105,7 +105,7 @@ function WebsocketEventFactory($rootScope, $websocket, 
$location, baseUrlSrv, ng
         closeByBackdrop: false,
         closeByKeyboard: false,
         title: 'Insufficient privileges',
-        message: data.info.toString(),
+        message: _.escape(data.info.toString()),
         buttons: btn,
       });
     } else if (op === 'PARAGRAPH') {

Reply via email to