drill-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel Barclay (Drill) (JIRA)" <j...@apache.org>
Subject [jira] [Created] (DRILL-3768) HTML- and JavaScript-injection vulnerability (lack of HTML encoding)
Date Fri, 11 Sep 2015 21:38:45 GMT
Daniel Barclay (Drill) created DRILL-3768:
---------------------------------------------

             Summary: HTML- and JavaScript-injection vulnerability (lack of HTML encoding)
                 Key: DRILL-3768
                 URL: https://issues.apache.org/jira/browse/DRILL-3768
             Project: Apache Drill
          Issue Type: Bug
          Components: Client - HTTP
            Reporter: Daniel Barclay (Drill)
            Assignee: Jason Altekruse
            Priority: Critical


The Web UI does not properly encode query text or error message text into HTML.  This makes
the Web UI vulnerable to JavaScript-injection attacks.

&nbsp;
Most importantly, the Web UI doesn't encode characters that are special in HTML, e.g., encoding
"<" in that plain text to "&amp;lt;" in the HTML text.

This means that some queries containing a less-than character ("<") are displayed wrong.
 For example, submit this query and then look at its profile via the Web UI:

{noformat}
SELECT 1<B FROM (VALUES 2) AS T(B)
{noformat}

(The query currently show up as "{{SELECT 1}}".)

What's worse is that someone submitting a query can inject HTML, _including JavaScript code_,
into the Web UI's pages.  Look at this query's profile in the Web UI:

{noformat}
VALUES `<script> alert("Gotcha!") </script>
{noformat}


&nbsp;
Another, though less serious, problem is that line breaks in plain text are not encoded into
HTML (e.g., as "<br />").

That means that separate lines of error messages are run together, making them harder or impossible
to parse correctly when see in the Web UI.






--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message