Skip to content

Commit

Permalink
[HOTFIX] Escape HeliumPackage information (#4728)
Browse files Browse the repository at this point in the history 
(cherry picked from commit 8368579)
  • Loading branch information
@jongyoul
jongyoul committed Mar 17, 2024
1 parent 8058385 commit ca178c1
Show file tree
Hide file tree
Showing 9 changed files with 74 additions and 21 deletions.
45 changes: 43 additions & 2 deletions zeppelin-interpreter/src/main/java/org/apache/zeppelin/helium/HeliumPackage.java
View file
Expand Up @@ -17,10 +17,16 @@
package org.apache.zeppelin.helium;

import com.google.gson.Gson;
import org.apache.commons.text.StringEscapeUtils;
import org.apache.zeppelin.annotation.Experimental;
import org.apache.zeppelin.common.JsonSerializable;

import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;

import static org.apache.commons.text.StringEscapeUtils.escapeHtml4;

/**
* Helium package definition
Expand All @@ -47,7 +53,7 @@ public class HeliumPackage implements JsonSerializable {
private SpellPackageInfo spell;
private Map<String, Object> config;

public HeliumPackage(HeliumType type,
private HeliumPackage(HeliumType type,
String name,
String description,
String artifact,
Expand Down Expand Up @@ -140,6 +146,41 @@ public String toJson() {
}

public static HeliumPackage fromJson(String json) {
return gson.fromJson(json, HeliumPackage.class);
return preventXss(gson.fromJson(json, HeliumPackage.class));
}

// This is only for test
public static HeliumPackage newHeliumPackage(HeliumType type,
String name,
String description,
String artifact,
String className,
String[][] resources,
String license,
String icon) {
return preventXss(new HeliumPackage(
type, name, description, artifact, className, resources, license, icon));
}

private static HeliumPackage preventXss(HeliumPackage heliumPackage) {
heliumPackage.name = escapeHtml4(heliumPackage.name);
heliumPackage.description = escapeHtml4(heliumPackage.description);
heliumPackage.artifact = escapeHtml4(heliumPackage.artifact);
heliumPackage.className = escapeHtml4(heliumPackage.className);
heliumPackage.resources =
Optional.ofNullable(heliumPackage.getResources()).map(r -> Arrays.stream(r)
.map(resource -> Arrays.stream(resource).map(StringEscapeUtils::escapeHtml4)
.toArray(String[]::new))
.toArray(String[][]::new)).orElse(null);
heliumPackage.license = escapeHtml4(heliumPackage.license);
heliumPackage.published = escapeHtml4(heliumPackage.published);
heliumPackage.groupId = escapeHtml4(heliumPackage.groupId);
heliumPackage.artifactId = escapeHtml4(heliumPackage.artifactId);
heliumPackage.spell = Optional.ofNullable(heliumPackage.getSpellInfo())
.map(spellPackageInfo -> new SpellPackageInfo(
escapeHtml4(spellPackageInfo.getMagic()),
escapeHtml4(spellPackageInfo.getUsage())))
.orElse(null);
return heliumPackage;
}
}
5 changes: 5 additions & 0 deletions zeppelin-interpreter/src/main/java/org/apache/zeppelin/helium/SpellPackageInfo.java
View file
Expand Up @@ -24,6 +24,11 @@ public class SpellPackageInfo {
private String magic;
private String usage;

public SpellPackageInfo(String magic, String usage) {
this.magic = magic;
this.usage = usage;
}

public String getMagic() {
return magic;
}
Expand Down
3 changes: 2 additions & 1 deletion zeppelin-interpreter/src/test/java/org/apache/zeppelin/helium/ApplicationLoaderTest.java
View file
Expand Up @@ -25,6 +25,7 @@
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

import static org.apache.zeppelin.helium.HeliumPackage.newHeliumPackage;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertTrue;
Expand Down Expand Up @@ -74,7 +75,7 @@ void loadUnloadApplication() throws Exception {
}

public HeliumPackage createPackageInfo(String className, String artifact) {
HeliumPackage app1 = new HeliumPackage(
HeliumPackage app1 = newHeliumPackage(
HeliumType.APPLICATION,
"name1",
"desc1",
Expand Down
3 changes: 2 additions & 1 deletion zeppelin-interpreter/src/test/java/org/apache/zeppelin/helium/HeliumPackageTest.java
View file
Expand Up @@ -17,6 +17,7 @@

package org.apache.zeppelin.helium;

import static org.apache.commons.text.StringEscapeUtils.escapeHtml4;
import static org.junit.jupiter.api.Assertions.assertEquals;

import java.util.Map;
Expand All @@ -42,7 +43,7 @@ void parseSpellPackageInfo() {

HeliumPackage p = HeliumPackage.fromJson(examplePackage);
assertEquals("%echo", p.getSpellInfo().getMagic());
assertEquals("%echo <TEXT>", p.getSpellInfo().getUsage());
assertEquals(escapeHtml4("%echo <TEXT>"), p.getSpellInfo().getUsage());
}

@Test
Expand Down
5 changes: 3 additions & 2 deletions zeppelin-server/src/test/java/org/apache/zeppelin/rest/HeliumRestApiTest.java
View file
Expand Up @@ -36,6 +36,7 @@
import java.util.Map;
import java.util.Set;

import static org.apache.zeppelin.helium.HeliumPackage.newHeliumPackage;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertTrue;
Expand Down Expand Up @@ -64,7 +65,7 @@ void setUp() throws IOException {
HeliumTestRegistry registry = new HeliumTestRegistry("r1", "r1");
helium.clear();

registry.add(new HeliumPackage(
registry.add(newHeliumPackage(
HeliumType.APPLICATION,
"name1",
"desc1",
Expand All @@ -74,7 +75,7 @@ void setUp() throws IOException {
"",
""));

registry.add(new HeliumPackage(
registry.add(newHeliumPackage(
HeliumType.APPLICATION,
"name2",
"desc2",
Expand Down
9 changes: 5 additions & 4 deletions zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumApplicationFactoryTest.java
View file
Expand Up @@ -16,6 +16,7 @@
*/
package org.apache.zeppelin.helium;

import static org.apache.zeppelin.helium.HeliumPackage.newHeliumPackage;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.fail;
import static org.mockito.Mockito.mock;
Expand Down Expand Up @@ -90,7 +91,7 @@ public void tearDown() throws Exception {
public void testLoadRunUnloadApplication()
throws IOException, ApplicationException, InterruptedException {
// given
HeliumPackage pkg1 = new HeliumPackage(HeliumType.APPLICATION,
HeliumPackage pkg1 = newHeliumPackage(HeliumType.APPLICATION,
"name1",
"desc1",
"",
Expand Down Expand Up @@ -139,7 +140,7 @@ public void testLoadRunUnloadApplication()
@Disabled
public void testUnloadOnParagraphRemove() throws IOException {
// given
HeliumPackage pkg1 = new HeliumPackage(HeliumType.APPLICATION,
HeliumPackage pkg1 = newHeliumPackage(HeliumType.APPLICATION,
"name1",
"desc1",
"",
Expand Down Expand Up @@ -182,7 +183,7 @@ public void testUnloadOnParagraphRemove() throws IOException {
@Disabled
public void testUnloadOnInterpreterUnbind() throws IOException {
// given
HeliumPackage pkg1 = new HeliumPackage(HeliumType.APPLICATION,
HeliumPackage pkg1 = newHeliumPackage(HeliumType.APPLICATION,
"name1",
"desc1",
"",
Expand Down Expand Up @@ -249,7 +250,7 @@ public void testInterpreterUnbindOfNullReplParagraph() throws IOException {
@Disabled
public void testUnloadOnInterpreterRestart() throws IOException, InterpreterException {
// given
HeliumPackage pkg1 = new HeliumPackage(HeliumType.APPLICATION,
HeliumPackage pkg1 = newHeliumPackage(HeliumType.APPLICATION,
"name1",
"desc1",
"",
Expand Down
13 changes: 7 additions & 6 deletions zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumBundleFactoryTest.java
View file
Expand Up @@ -17,6 +17,7 @@
package org.apache.zeppelin.helium;

import static org.apache.zeppelin.helium.HeliumBundleFactory.HELIUM_LOCAL_REPO;
import static org.apache.zeppelin.helium.HeliumPackage.newHeliumPackage;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotSame;
import static org.junit.jupiter.api.Assertions.assertNull;
Expand Down Expand Up @@ -72,7 +73,7 @@ public void testInstallNpm() throws InstallationException {
@Test
public void downloadPackage() throws TaskRunnerException {
HeliumPackage pkg =
new HeliumPackage(
newHeliumPackage(
HeliumType.VISUALIZATION,
"lodash",
"lodash",
Expand All @@ -89,7 +90,7 @@ public void downloadPackage() throws TaskRunnerException {
@Test
public void bundlePackage() throws IOException, TaskRunnerException {
HeliumPackage pkg =
new HeliumPackage(
newHeliumPackage(
HeliumType.VISUALIZATION,
"zeppelin-bubblechart",
"zeppelin-bubblechart",
Expand All @@ -114,7 +115,7 @@ public void bundleLocalPackage() throws IOException, TaskRunnerException {
String localPkg = resDir + "/../../../src/test/resources/helium/vis1";

HeliumPackage pkg =
new HeliumPackage(
newHeliumPackage(
HeliumType.VISUALIZATION,
"vis1",
"vis1",
Expand All @@ -135,7 +136,7 @@ public void bundleErrorPropagation() throws IOException, TaskRunnerException {
String localPkg = resDir + "/../../../src/test/resources/helium/vis2";

HeliumPackage pkg =
new HeliumPackage(
newHeliumPackage(
HeliumType.VISUALIZATION,
"vis2",
"vis2",
Expand All @@ -161,7 +162,7 @@ public void switchVersion() throws IOException, TaskRunnerException {
String resDir = new File(res.getFile()).getParent();

HeliumPackage pkgV1 =
new HeliumPackage(
newHeliumPackage(
HeliumType.VISUALIZATION,
"zeppelin-bubblechart",
"zeppelin-bubblechart",
Expand All @@ -172,7 +173,7 @@ public void switchVersion() throws IOException, TaskRunnerException {
"icon");

HeliumPackage pkgV2 =
new HeliumPackage(
newHeliumPackage(
HeliumType.VISUALIZATION,
"zeppelin-bubblechart",
"zeppelin-bubblechart",
Expand Down
3 changes: 2 additions & 1 deletion zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumLocalRegistryTest.java
View file
Expand Up @@ -25,6 +25,7 @@
import java.io.File;
import java.io.IOException;

import static org.apache.zeppelin.helium.HeliumPackage.newHeliumPackage;
import static org.junit.jupiter.api.Assertions.assertEquals;

public class HeliumLocalRegistryTest {
Expand All @@ -50,7 +51,7 @@ public void testGetAllPackage() throws IOException {

// when
Gson gson = new Gson();
HeliumPackage pkg1 = new HeliumPackage(HeliumType.APPLICATION,
HeliumPackage pkg1 = newHeliumPackage(HeliumType.APPLICATION,
"app1",
"desc1",
"artifact1",
Expand Down
9 changes: 5 additions & 4 deletions zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumTest.java
View file
Expand Up @@ -26,6 +26,7 @@
import java.io.IOException;
import java.net.URISyntaxException;

import static org.apache.zeppelin.helium.HeliumPackage.newHeliumPackage;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertTrue;
Expand Down Expand Up @@ -77,7 +78,7 @@ public void testRestoreRegistryInstances() throws IOException, URISyntaxExceptio
helium.addRegistry(registry2);

// when
registry1.add(new HeliumPackage(
registry1.add(newHeliumPackage(
HeliumType.APPLICATION,
"name1",
"desc1",
Expand All @@ -87,7 +88,7 @@ public void testRestoreRegistryInstances() throws IOException, URISyntaxExceptio
"",
""));

registry2.add(new HeliumPackage(
registry2.add(newHeliumPackage(
HeliumType.APPLICATION,
"name2",
"desc2",
Expand All @@ -110,7 +111,7 @@ public void testRefresh() throws IOException, URISyntaxException, TaskRunnerExce
helium.addRegistry(registry1);

// when
registry1.add(new HeliumPackage(
registry1.add(newHeliumPackage(
HeliumType.APPLICATION,
"name1",
"desc1",
Expand All @@ -124,7 +125,7 @@ public void testRefresh() throws IOException, URISyntaxException, TaskRunnerExce
assertEquals(1, helium.getAllPackageInfo().size());

// when
registry1.add(new HeliumPackage(
registry1.add(newHeliumPackage(
HeliumType.APPLICATION,
"name2",
"desc2",
Expand Down

0 comments on commit ca178c1

Please sign in to comment.