drill-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Barclay (Drill) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DRILL-3768) HTML- and JavaScript-injection vulnerability (lack of HTML encoding)
Date Fri, 11 Sep 2015 21:38:45 GMT
Daniel Barclay (Drill) created DRILL-3768:

             Summary: HTML- and JavaScript-injection vulnerability (lack of HTML encoding)
                 Key: DRILL-3768
                 URL: https://issues.apache.org/jira/browse/DRILL-3768
             Project: Apache Drill
          Issue Type: Bug
          Components: Client - HTTP
            Reporter: Daniel Barclay (Drill)
            Assignee: Jason Altekruse
            Priority: Critical

The Web UI does not properly encode query text or error message text into HTML.  This makes
the Web UI vulnerable to JavaScript-injection attacks.

Most importantly, the Web UI doesn't encode characters that are special in HTML, e.g., encoding
"<" in that plain text to "&amp;lt;" in the HTML text.

This means that some queries containing a less-than character ("<") are displayed wrong.
 For example, submit this query and then look at its profile via the Web UI:


(The query currently show up as "{{SELECT 1}}".)

What's worse is that someone submitting a query can inject HTML, _including JavaScript code_,
into the Web UI's pages.  Look at this query's profile in the Web UI:

VALUES `<script> alert("Gotcha!") </script>

Another, though less serious, problem is that line breaks in plain text are not encoded into
HTML (e.g., as "<br />").

That means that separate lines of error messages are run together, making them harder or impossible
to parse correctly when see in the Web UI.

This message was sent by Atlassian JIRA

View raw message