Skip to content

Commit

Permalink
HUE-7536 [frontend] Avoid XSS in the table row display modal, HueData…
Browse files Browse the repository at this point in the history 
…table and TableExtender2
  • Loading branch information
@enricoberti
enricoberti committed Oct 26, 2017
1 parent 141ac77 commit 6da4969
Show file tree
Hide file tree
Showing 6 changed files with 20 additions and 9 deletions.
6 changes: 3 additions & 3 deletions apps/metastore/src/metastore/static/metastore/js/metastore.model.js
View file
Expand Up @@ -435,9 +435,9 @@ var MetastoreTable = (function () {
self.loadingQueries = ko.observable(true);

//TODO: Fetch table comment async and don't set it from python
self.comment = ko.observable(options.comment ? options.comment.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '') : null);
self.comment = ko.observable(hueUtils.deXSS(options.comment));
self.commentWithoutNewLines = ko.pureComputed(function(){
return self.comment() ? self.comment().replace(/<br\s*[\/]?>/gi, ' ').replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '') : '';
return self.comment() ? hueUtils.deXSS(self.comment().replace(/<br\s*[\/]?>/gi, ' ')) : '';
});

self.comment.subscribe(function (newValue) {
Expand Down Expand Up @@ -713,7 +713,7 @@ var MetastoreColumn = (function () {
var self = this;
self.table = options.table;
if (options.extendedColumn && options.extendedColumn.comment) {
options.extendedColumn.comment = options.extendedColumn.comment.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
options.extendedColumn.comment = hueUtils.deXSS(options.extendedColumn.comment);
}
ko.mapping.fromJS(options.extendedColumn, {}, self);

Expand Down
7 changes: 7 additions & 0 deletions desktop/core/src/desktop/static/desktop/js/hue.utils.js
View file
Expand Up @@ -367,6 +367,13 @@ if (!('addRule' in CSSStyleSheet.prototype)) {
return a && b && a.toLowerCase() === b.toLowerCase();
};

hueUtils.deXSS = function (str) {
if (typeof str !== 'undefined' && str !== null && typeof str === 'string') {
return str.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
}
return str;
}

}(hueUtils = window.hueUtils || {}));

if (!Object.keys) {
Expand Down
8 changes: 4 additions & 4 deletions desktop/core/src/desktop/static/desktop/js/jquery.huedatatable.js
View file
Expand Up @@ -384,7 +384,7 @@
if ($t.data('fnDraws') === 0) {
var html = '';
for (var i = 0; i < data.length; i++) {
html += '<tr class="ht-visible-row ht-visible-row-' + i + '" style="height: 32px"><td>' + data[i][0] + '</td><td colspan="' + (aoColumns.length - 1) + '" class="stripe"></td></tr>';
html += '<tr class="ht-visible-row ht-visible-row-' + i + '" style="height: 32px"><td>' + hueUtils.deXSS(data[i][0]) + '</td><td colspan="' + (aoColumns.length - 1) + '" class="stripe"></td></tr>';
}
appendable.html(html);
if ($t.data('plugin_jHueTableExtender')) {
Expand All @@ -398,7 +398,7 @@
if (force) {
var html = '';
for (var i = $t.find('.ht-visible-row').length; i < data.length; i++) {
html += '<tr class="ht-visible-row ht-visible-row-' + i + '"><td>' + data[i][0] + '</td><td colspan="' + (aoColumns.length - 1) + '" class="stripe"></td></tr>';
html += '<tr class="ht-visible-row ht-visible-row-' + i + '"><td>' + hueUtils.deXSS(data[i][0]) + '</td><td colspan="' + (aoColumns.length - 1) + '" class="stripe"></td></tr>';
}
appendable.html(appendable.html() + html);
}
Expand All @@ -410,7 +410,7 @@
var row = data[i];
if (row) {
for (var j = 0; j < endCol; j++) {
html += '<td ' + (!aoColumns[j].bVisible ? 'style="display: none"' : '') + '>' + row[j] + '</td>';
html += '<td ' + (!aoColumns[j].bVisible ? 'style="display: none"' : '') + '>' + hueUtils.deXSS(row[j]) + '</td>';
}

if (endCol < aoColumns.length) {
Expand All @@ -419,7 +419,7 @@
}
}
else {
html = '<td>' + data[i][0] + '</td><td colspan="' + (aoColumns.length - 1) + '" class="stripe"></td>';
html = '<td>' + hueUtils.deXSS(data[i][0]) + '</td><td colspan="' + (aoColumns.length - 1) + '" class="stripe"></td>';
}
appendable.children().eq(i).html(html);
}
Expand Down
2 changes: 1 addition & 1 deletion desktop/core/src/desktop/static/desktop/js/jquery.tableextender2.js
View file
Expand Up @@ -486,7 +486,7 @@
var tHtml = '';
var aoColumns = self.$element.data('aoColumns');
self.$element.data('data')[rowNo - 1].forEach(function(col, idx){
tHtml += '<td ' + (aoColumns && !aoColumns[idx].bVisible ? 'style="display: none"' : '') + '>' + col + '</td>';
tHtml += '<td ' + (aoColumns && !aoColumns[idx].bVisible ? 'style="display: none"' : '') + '>' + hueUtils.deXSS(col) + '</td>';
});
$clone.html(tHtml);
$clone.appendTo(self.headerRowContainer.find('tbody'));
Expand Down
4 changes: 4 additions & 0 deletions desktop/core/src/desktop/static/desktop/spec/hueUtilsSpec.js
View file
Expand Up @@ -60,5 +60,9 @@
hueUtils.changeURL('/jasmine');
});

it("should remove JS code from a string", function() {
expect(hueUtils.deXSS('hello <script>alert(123)</script>world')).toEqual('hello world');
});

});
})();
2 changes: 1 addition & 1 deletion desktop/core/src/desktop/templates/common_header_footer_components.mako
View file
Expand Up @@ -544,7 +544,7 @@ from metadata.conf import has_optimizer, OPTIMIZER
value = $el.data('data')[data.idx][colIdx];
}
var link = typeof value == 'string' && value.match(/^https?:\/\//i) ? '<a href="' + escapeOutput(value) + '" target="_blank">' + value + ' <i class="fa fa-external-link"></i></a>' : value;
html += '<tr><th width="10%">' + $(col).text() + '</th><td>' + link + '</td></tr>';
html += '<tr><th width="10%">' + hueUtils.deXSS($(col).text()) + '</th><td>' + hueUtils.deXSS(link) + '</td></tr>';
}
});
$t.html(html);
Expand Down

0 comments on commit 6da4969

Please sign in to comment.