[SPARK-20393][WEBU UI][BACKPORT-2.0] Strengthen Spark to prevent XSS vulnerabilities #19538
Conversation
Add stripXSS and stripXSSMap to Spark Core's UIUtils. Calling these functions at any point that getParameter is called against a HttpServletRequest. Unit tests, IBM Security AppScan Standard no longer showing vulnerabilities, manual verification of WebUI pages. Author: NICHOLAS T. MARION <nmarion@us.ibm.com> Closes apache#17686 from n-marion/xss-fix.
|
Test build #3954 has finished for PR 19538 at commit
|
|
Test build #3959 has finished for PR 19538 at commit
|
|
ignore SparkR test failure for now, we are looking into it. |
|
could you update the PR title to say you mention there is a discussion, could you link them here. are you looking for an official release for 1.6.x? |
|
link to 1.6 PR #19528 |
ambauma
changed the title
|
I'm not looking for an official release. My goal is to get the fix into the official branch 1.6 to reduce the number of forks necessary and so that if CVE-2018-XXXX comes and I've moved on my replacement doesn't have to apply this plus that. |
| * Return the correct Href after checking if master is running in the | ||
| * reverse proxy mode or not. | ||
| */ | ||
| def makeHref(proxy: Boolean, id: String, origHref: String): String = { |
There was a problem hiding this comment.
I think this method came with the original patch. I don't see anything calling it. I will remove it.
|
Jenkins, retest this please |
|
Test build #82989 has finished for PR 19538 at commit
|
|
retest this please |
|
ok to test |
|
Test build #93054 has finished for PR 19538 at commit
|
|
@ambauma Unfortunately, it seems to be too old and the PR on 1.6 also is closed. Can we close this, too?
|
|
No argument.
…On Thu, Sep 13, 2018, 12:25 PM Dongjoon Hyun ***@***.***> wrote:
@ambauma <https://github.com/ambauma> Unfortunately, it seems to be too
old and the PR on 1.6 also is closed. Can we close this, too?
My goal is to get the fix into the official branch 1.6 to reduce the
number of forks necessary and so that if CVE-2018-XXXX comes and I've moved
on my replacement doesn't have to apply this plus that.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#19538 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AL2KaybesYvjeXb-sJC-PvdFttBTQ671ks5uapUHgaJpZM4P_n6c>
.
|
|
@ambauma could you close it? we can't, directly |
What changes were proposed in this pull request?
This is the fix for the master branch applied to the 2.0 branch. My (unnamed) company will be using Spark 1.6 probably for another year. We have been blocked from having Spark 1.6 on our workstations until CVE-2017-7678 is patched, which SPARK-20393 does. I was told I need to patch branch 2.0 before branch 1.6 could be patched.
How was this patch tested?
The patch came with unit tests. The test build passed. Manual testing on one of the effected screens showed the newline character removed. Screen display was the same regardless (html ignores newline characters).
