-
Notifications
You must be signed in to change notification settings - Fork 28.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SPARK-20393][WEBU UI][BACKPORT-2.0] Strengthen Spark to prevent XSS vulnerabilities #19538
Conversation
Add stripXSS and stripXSSMap to Spark Core's UIUtils. Calling these functions at any point that getParameter is called against a HttpServletRequest. Unit tests, IBM Security AppScan Standard no longer showing vulnerabilities, manual verification of WebUI pages. Author: NICHOLAS T. MARION <nmarion@us.ibm.com> Closes apache#17686 from n-marion/xss-fix.
Test build #3954 has finished for PR 19538 at commit
|
Test build #3959 has finished for PR 19538 at commit
|
ignore SparkR test failure for now, we are looking into it. |
could you update the PR title to say you mention there is a discussion, could you link them here. are you looking for an official release for 1.6.x? |
link to 1.6 PR #19528 |
I'm not looking for an official release. My goal is to get the fix into the official branch 1.6 to reduce the number of forks necessary and so that if CVE-2018-XXXX comes and I've moved on my replacement doesn't have to apply this plus that. |
* Return the correct Href after checking if master is running in the | ||
* reverse proxy mode or not. | ||
*/ | ||
def makeHref(proxy: Boolean, id: String, origHref: String): String = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is not in the 2.0 PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this method came with the original patch. I don't see anything calling it. I will remove it.
Jenkins, retest this please |
Test build #82989 has finished for PR 19538 at commit
|
retest this please |
ok to test |
Test build #93054 has finished for PR 19538 at commit
|
@ambauma Unfortunately, it seems to be too old and the PR on 1.6 also is closed. Can we close this, too?
|
No argument.
…On Thu, Sep 13, 2018, 12:25 PM Dongjoon Hyun ***@***.***> wrote:
@ambauma <https://github.com/ambauma> Unfortunately, it seems to be too
old and the PR on 1.6 also is closed. Can we close this, too?
My goal is to get the fix into the official branch 1.6 to reduce the
number of forks necessary and so that if CVE-2018-XXXX comes and I've moved
on my replacement doesn't have to apply this plus that.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#19538 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AL2KaybesYvjeXb-sJC-PvdFttBTQ671ks5uapUHgaJpZM4P_n6c>
.
|
@ambauma could you close it? we can't, directly |
What changes were proposed in this pull request?
This is the fix for the master branch applied to the 2.0 branch. My (unnamed) company will be using Spark 1.6 probably for another year. We have been blocked from having Spark 1.6 on our workstations until CVE-2017-7678 is patched, which SPARK-20393 does. I was told I need to patch branch 2.0 before branch 1.6 could be patched.
How was this patch tested?
The patch came with unit tests. The test build passed. Manual testing on one of the effected screens showed the newline character removed. Screen display was the same regardless (html ignores newline characters).