Sanitize DAS templates, fixes #545

Signed-off-by: Valentin Kuznetsov <vkuznet@gmail.com> git-svn-id: svn+ssh://svn.cern.ch/reps/CMSDMWM/DAS/trunk@10966 4525493e-7705-40b1-a816-d608a930855b
dmwm · Nov 30, 2010 · adb3d0e · adb3d0e
1 parent 8b8db7c
commit adb3d0e
Show file tree

Hide file tree

Showing 42 changed files with 334 additions and 873 deletions.
diff --git a/src/js/ajax_utils.js b/src/js/ajax_utils.js
@@ -7,14 +7,14 @@ function ajaxStatus(base) {
 }
 function ajaxQueryInfo(base) {
     var q = document.getElementById('dasquery');
-    new Ajax.Updater('_queryinfo', base+'/admin/query_info', 
+    new Ajax.Updater('_queryinfo', base+'/expert/query_info', 
     { method: 'get' ,
       parameters : {'dasquery':q.value},
     });
 }
 function ajaxCleanInfo(base) {
     var q = document.getElementById('dbcoll');
-    new Ajax.Updater('_cleaninfo', base+'/admin/clean', 
+    new Ajax.Updater('_cleaninfo', base+'/expert/clean', 
     { method: 'get' ,
       parameters : {'dbcoll':q.value},
     });

diff --git a/src/python/DAS/analytics/analytics_web.py b/src/python/DAS/analytics/analytics_web.py
@@ -87,9 +87,7 @@ def top(self):
         """
         Provide masthead for all web pages
         """
-        return self.templatepage('analytics_header',
-                                 base=self.base,
-                                 yui=self.yuidir)
+        return self.templatepage('analytics_header', base=self.base)
 
     @cherrypy.expose
     def doc(self):
@@ -101,9 +99,7 @@ def bottom(self):
         """
         Provide footer for all web pages
         """
-        timestamp = time.strftime("%a, %d %b %Y %H:%M:%S GMT", time.gmtime())
-        return self.templatepage('analytics_bottom',
-                timestamp=timestamp, version=DAS.version)
+        return self.templatepage('analytics_bottom', version=DAS.version)
 
     @cherrypy.expose    
     def schedule(self, *path, **attrs):

diff --git a/src/python/DAS/core/das_core.py b/src/python/DAS/core/das_core.py
@@ -295,7 +295,7 @@ def call(self, query, add_to_analytics=True):
         qhash = genkey(query)
         try:
             for srv in services:
-                self.logger.info('DASCore::call %s(%s)' % (srv, query))
+                self.logger.info('\nDASCore::call ##### %s ######\n' % srv)
                 das_timer(srv, self.verbose)
                 getattr(getattr(self, srv), 'call')(query)
                 das_timer(srv, self.verbose)

diff --git a/src/python/DAS/services/dashboard/dashboard_service.py b/src/python/DAS/services/dashboard/dashboard_service.py
@@ -47,22 +47,21 @@ def parser(self, source, api, params=None):
 
         try:
             elem  = ET.fromstring(data)
+            for i in elem:
+                if  i.tag == 'summaries':
+                    for j in i:
+                        row = {}
+                        for k in j.getchildren():
+                            name = k.tag
+                            row[name] = k.text
+                        if  params:
+                            for key, val in params.items():
+                                if  not row.has_key(key):
+                                    row[key] = val
+                        rowkey = self.map[api]['keys'][0]
+                        yield {rowkey : row}
         except:
-            print "data='%s'" % data
-            raise Exception('Unable to parse dashboard output')
-        for i in elem:
-            if  i.tag == 'summaries':
-                for j in i:
-                    row = {}
-                    for k in j.getchildren():
-                        name = k.tag
-                        row[name] = k.text
-                    if  params:
-                        for key, val in params.items():
-                            if  not row.has_key(key):
-                                row[key] = val
-                    rowkey = self.map[api]['keys'][0]
-                    yield {rowkey : row}
+            yield {'error' : data}
         if  close:
             source.close()
 

diff --git a/src/python/DAS/web/das_expert.py b/src/python/DAS/web/das_expert.py
@@ -28,7 +28,7 @@
 from DAS.core.das_core import DASCore
 from DAS.core.das_mongocache import convert2pattern, encode_mongo_query
 from DAS.web.das_webmanager import DASWebManager
-from DAS.web.utils import json2html, ajax_response, checkargs
+from DAS.web.utils import json2html, ajax_response, checkargs, quote
 from DAS.web.das_codes import web_code
 
 DAS_EXPERT_INPUTS = ['idx', 'limit', 'collection', 'database', 'query',
@@ -52,6 +52,7 @@ def wrapper (self, *args, **kwds):
         database = conn['admin']
         coll = database['dns']
         dn = headers.get('Ssl-Client-S-Dn', None)
+        redirect = False
         if  dn:
             if  coll.find_one({'dn': dn}):
                 redirect = False
@@ -152,11 +153,13 @@ def records(self, database, collection=None, query=None, idx=0, limit=10,
         if  not iquery:
             iquery = {}
         url = '%s/expert/records?database=%s&collection=%s&query=%s' \
-                % (self.base, database, collection, iquery)
+        % (quote(self.base), quote(database), quote(collection), quote(iquery))
         nresults = self.conn[database][collection].find(query).count()
         idict = dict(nrows=nresults, idx=idx, 
-                    limit=limit, results=page, url=url)
+                    limit=limit, url=url)
+        content = page
         page  = self.templatepage('das_pagination', **idict)
+        page += content
         return self.page(page)
 
     @expose

diff --git a/src/python/DAS/web/das_web.py b/src/python/DAS/web/das_web.py
@@ -34,7 +34,7 @@
 from DAS.utils.logger import DASLogger, set_cherrypy_logger
 from DAS.utils.das_config import das_readconfig
 from DAS.utils.das_db import db_connection, connection_monitor
-from DAS.web.utils import urllib2_request, json2html, web_time
+from DAS.web.utils import urllib2_request, json2html, web_time, quote
 from DAS.web.utils import ajax_response, checkargs, get_ecode
 from DAS.web.utils import wrap2dasxml, wrap2dasjson
 from DAS.web.tools import exposedasjson, exposetext
@@ -47,6 +47,16 @@
 DAS_WEB_INPUTS = ['input', 'idx', 'limit', 'show', 'collection', 'name',
                   'format', 'sort', 'dir', 'ajax', 'view', 'method']
 
+def das_json(record, pad=''):
+    """
+    Wrap provided jsonhtml code snippet into div/pre blocks. Provided jsonhtml
+    snippet is sanitized by json2html function.
+    """
+    page  = """<div class="code"><pre>"""
+    page += json2html(record, pad)
+    page += "</pre></div>"
+    return page
+
 class DASWebService(DASWebManager):
     """
     DAS web service interface.
@@ -104,15 +114,8 @@ def page(self, content, ctime=None, response_div=True):
         """
         page  = self.top()
         page += content
-        timestamp = time.strftime("%a, %d %b %Y %H:%M:%S GMT", time.gmtime())
-        services = self.dasmgr.keys()
-        srv = ""
-        for key in services.keys():
-            srv += "%s, " % key
-        srv = srv[:-2] # remove last comma
-        page += self.templatepage('das_bottom', ctime=ctime, services=srv,
-                                  version=DAS.version,
-                                  timestamp=timestamp, div=response_div)
+        page += self.templatepage('das_bottom', ctime=ctime, 
+                                  version=DAS.version, div=response_div)
         return page
 
     @expose
@@ -191,15 +194,14 @@ def api(self, name, **kwargs):
         show   = kwargs.get('show', 'json')
         page   = "<b>DAS mapping record</b>"
         if  show == 'json':
-            jsoncode = {'jsoncode': json2html(record, "")}
-            page += self.templatepage('das_json', **jsoncode)
+            page += das_json(record)
         elif show == 'code':
             code  = pformat(record, indent=1, width=100)
-            page += self.templatepage('das_code', code=code)
+            page += self.templatepage('das_json', jsoncode=code)
         else:
             code  = yaml.dump(record, width=100, indent=4, 
                         default_flow_style=False)
-            page += self.templatepage('das_code', code=code)
+            page += self.templatepage('das_json', jsoncode=code)
         return self.page(page, response_div=False)
 
     @expose
@@ -383,21 +385,20 @@ def records(self, *args, **kwargs):
                 if  recordid: # we got id
                     for row in result['data']:
                         if  show == 'json':
-                            jsoncode = {'jsoncode': json2html(row, "")}
-                            res += self.templatepage('das_json', **jsoncode)
+                            res += das_json(row)
                         elif show == 'code':
                             code  = pformat(row, indent=1, width=100)
-                            res += self.templatepage('das_code', code=code)
+                            res += self.templatepage('das_json', jsoncode=code)
                         else:
                             code = yaml.dump(row, width=100, indent=4, 
                                         default_flow_style=False)
-                            res += self.templatepage('das_code', code=code)
+                            res += self.templatepage('das_json', jsoncode=code)
                 else:
                     for row in result['data']:
                         rid  = row['_id']
                         del row['_id']
-                        record = dict(id=rid, daskeys=', '.join(row))
-                        res += self.templatepage('das_record', **record)
+                        res += self.templatepage('das_record', \
+                                id=rid, daskeys=', '.join(row))
             else:
                 res = result['status']
                 if  res.has_key('reason'):
@@ -416,12 +417,12 @@ def records(self, *args, **kwargs):
                 page  = res
             else:
                 url   = '/das/records?'
-                idict = dict(nrows=nresults, idx=idx, 
-                            limit=limit, results=res, url=url)
                 if  nresults:
-                    page = self.templatepage('das_pagination', **idict)
+                    page = self.templatepage('das_pagination', \
+                        nrows=nresults, idx=idx, limit=limit, url=url)
                 else:
                     page = 'No results found'
+                page += res
 
             form    = self.form(input="")
             ctime   = (time.time()-time0)
@@ -584,31 +585,31 @@ def listview(self, **kwargs):
                 page += "<b>%s</b>: %s<br />" % (uikey, value)
             pad   = ""
             if  show == 'json':
-                jsoncode = {'jsoncode': json2html(row, pad)}
-                jsonhtml = self.templatepage('das_json', **jsoncode)
-                jsondict = dict(data=jsonhtml, id=id, rec_id=id)
-                page += self.templatepage('das_row', **jsondict)
+                jsonhtml = das_json(row, pad)
+                page += self.templatepage('das_row', \
+                        sanitized_data=jsonhtml, id=id, rec_id=id)
             elif show == 'code':
                 code  = pformat(row, indent=1, width=100)
-                data  = self.templatepage('das_code', code=code)
-                datadict = {'data':data, 'id':id, 'rec_id':id}
-                page += self.templatepage('das_row', **datadict)
+                data  = self.templatepage('das_json', jsoncode=code)
+                page += self.templatepage('das_row', \
+                        sanitized_data=data, id=id, rec_id=id)
             else:
                 code  = yaml.dump(row, width=100, indent=4, 
                                 default_flow_style=False)
-                data  = self.templatepage('das_code', code=code)
-                datadict = {'data':data, 'id':id, 'rec_id':id}
-                page += self.templatepage('das_row', **datadict)
+                data  = self.templatepage('das_json', jsoncode=code)
+                page += self.templatepage('das_row', \
+                        sanitized_data=data, id=id, rec_id=id)
             page += '</div>'
         ctime = (time.time()-time0)
         url   = "%s/?view=list&show=%s&input=%s&ajax=%s" \
-        % (self.base, show, uinput, ajaxreq)
-        idict = dict(nrows=total, idx=idx,
-                    limit=limit, results=page, url=url)
+        % (quote(self.base), quote(show), quote(uinput), quote(ajaxreq))
+        content = page
         if  total:
-            page = self.templatepage('das_pagination', **idict)
+            page  = self.templatepage('das_pagination', \
+                nrows=total, idx=idx, limit=limit, url=url)
+            page += content
         else:
-            page = 'No results found'
+            page  = 'No results found'
         return self.page(form + page, ctime=ctime)
 
     @exposetext

diff --git a/src/python/DAS/web/das_webmanager.py b/src/python/DAS/web/das_webmanager.py
@@ -107,16 +107,15 @@ def top(self):
         """
         Provide masthead for all web pages
         """
-        return self.templatepage('das_top', base=self.base, yui=self.yuidir)
+        return self.templatepage('das_top', base=self.base)
 
     def bottom(self):
         """
         Provide footer for all web pages
         """
-        timestamp = time.strftime("%a, %d %b %Y %H:%M:%S GMT", time.gmtime())
         ctime = 0
-        return self.templatepage('das_bottom', div="", services="",
-                timestamp=timestamp, ctime=ctime, version=DAS.version)
+        return self.templatepage('das_bottom', div="", 
+                ctime=ctime, version=DAS.version)
 
     def page(self, content):
         """
@@ -182,7 +181,7 @@ def js(self, *args, **kwargs):
         scripts = self.check_scripts(args, self.jsmap, self.jsdir)
         return self.serve_files(args, scripts, self.jsmap)
 
-    def serve_files(self, args, scripts, _map, datatype='', minimize=False):
+    def serve_files(self, args, scripts, resource, datatype='', minimize=False):
         """
         Return asked set of files for JS, YUI, CSS.
         """
@@ -192,7 +191,7 @@ def serve_files(self, args, scripts, _map, datatype='', minimize=False):
             if  datatype == 'css':
                 data = '@CHARSET "UTF-8";'
             for script in args:
-                path = os.path.join(sys.path[0], _map[script])
+                path = os.path.join(sys.path[0], resource[script])
                 path = os.path.normpath(path)
                 ifile = open(path)
                 data = "\n".join ([data, ifile.read().\
@@ -206,13 +205,14 @@ def serve_files(self, args, scripts, _map, datatype='', minimize=False):
                 self.cache[idx] = data
         return self.cache[idx] 
 
-    def check_scripts(self, scripts, map, path):
+    def check_scripts(self, scripts, resource, path):
         """
-        Check a script is known to the map and that the script actually exists   
+        Check a script is known to the resource map 
+        and that the script actually exists   
         """           
         for script in scripts:
-            if  script not in map.keys():
+            if  script not in resource.keys():
                 spath = os.path.normpath(os.path.join(path, script))
                 if  os.path.isfile(spath):
-                    map.update({script: spath})
+                    resource.update({script: spath})
         return scripts