twitter-server: Plug XSS vulnerability in /histograms endpoint

Problem Right now we allow script injection in /histograms by telling people about the query that they just ran. Solution Stop telling people about the query they ran. JIRA Issues: OSS-5328 Differential Revision: https://phabricator.twitter.biz/D574844
twitter · Nov 10, 2020 · e0aeb87 · e0aeb87
1 parent 3bddefc
commit e0aeb87
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 2 deletions.
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
@@ -7,6 +7,9 @@ Note that ``PHAB_ID=#`` and ``RB_ID=#`` correspond to associated messages in com
 Unreleased
 ----------
 
+* Escape user-provided string from the returned text.  This removes a potential vector for an XSS
+  attack. ``PHAB_ID=D574844``
+
 20.10.0
 -------
 

diff --git a/server/src/main/scala/com/twitter/server/handler/HistogramQueryHandler.scala b/server/src/main/scala/com/twitter/server/handler/HistogramQueryHandler.scala
@@ -198,7 +198,7 @@ private[server] class HistogramQueryHandler(details: WithHistogramDetails)
       content = {
         val text = histograms.get(query) match {
           case Some(h) => transform(h.counts)
-          case None => s"Key: $query is not a valid histogram."
+          case None => s"Key: ${escapeHtml(query)} is not a valid histogram."
         }
         Buf.Utf8(text)
       }
@@ -280,7 +280,7 @@ private[server] class HistogramQueryHandler(details: WithHistogramDetails)
         if (histograms.contains(query))
           render
         else
-          s"Key: $query is not a valid histogram."
+          s"Key: ${escapeHtml(query)} is not a valid histogram."
       }
     )