zeppelin-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From m...@apache.org
Subject [zeppelin] branch master updated: ZEPPELIN-4335 Deleting a Notebook is vulnerable to XSS attach
Date Thu, 19 Sep 2019 16:58:38 GMT
This is an automated email from the ASF dual-hosted git repository.

moon pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/zeppelin.git


The following commit(s) were added to refs/heads/master by this push:
     new f9e2ff8  ZEPPELIN-4335 Deleting a Notebook is vulnerable to XSS attach
f9e2ff8 is described below

commit f9e2ff8ff8316e973957041b0f213ce7651cab1c
Author: Akhil Subhash Naik <asnaik@hortonworks.com>
AuthorDate: Thu Sep 19 11:25:40 2019 +0530

    ZEPPELIN-4335 Deleting a Notebook is vulnerable to XSS attach
    
    ### What is this PR for?
    Fix of : ZEPPELIN-4335 Deleting a Notebook is vulnerable to XSS attach
    
    Issue reproduction steps :
    
    1) create a notebook
    2) give the permission to notebook as : <script>alert('hi')</script> (press
space after writing this, not enter key)
    3) after this, try to delete the notebook, the BootstrapDialog that popups stating insufficient
privilages is vulnerable to XSS attack
    
    ### What type of PR is it?
    BUG FIX ZEPPELIN-4335
    
    ### What is the Jira issue?
    https://issues.apache.org/jira/browse/ZEPPELIN-4335
    
    ### How should this be tested?
    
    Test as per reproduction steps :
    1) create a notebook
    2) give the permission to notebook as : <script>alert('hi')</script> (press
space after writing this, not enter key)
    3) after this, try to delete the notebook, the BootstrapDialog that popups stating insufficient
privilages is vulnerable to XSS attack
    
    ### Questions:
    * Does the licenses files need update? No
    * Is there breaking changes for older versions? No
    * Does this needs documentation? No
    
    Author: Akhil Subhash Naik <asnaik@hortonworks.com>
    
    Closes #3452 from Akhilsnaik/ZEPPELIN-4335 and squashes the following commits:
    
    95212d846 [Akhil Subhash Naik] ZEPPELIN-4335 Deleting a Notebook is vulnerable to XSS
attach (asnaik)
---
 zeppelin-web/src/components/websocket/websocket-event.factory.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/zeppelin-web/src/components/websocket/websocket-event.factory.js b/zeppelin-web/src/components/websocket/websocket-event.factory.js
index ef255e7..5bcf45d 100644
--- a/zeppelin-web/src/components/websocket/websocket-event.factory.js
+++ b/zeppelin-web/src/components/websocket/websocket-event.factory.js
@@ -107,7 +107,7 @@ function WebsocketEventFactory($rootScope, $websocket, $location, baseUrlSrv,
ng
         closeByBackdrop: false,
         closeByKeyboard: false,
         title: 'Insufficient privileges',
-        message: data.info.toString(),
+        message: _.escape(data.info.toString()),
         buttons: btn,
       });
     } else if (op === 'PARAGRAPH') {


Mime
View raw message