From 1b0ed842d080c14234c36caf30a4d703c78efcde Mon Sep 17 00:00:00 2001 From: Jason Darrell Lowe Date: Fri, 18 Apr 2014 21:46:14 +0000 Subject: [PATCH] svn merge -c 1588572 FIXES: YARN-1932. Javascript injection on the job status page. Contributed by Mit Desai git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/branches/branch-2@1588573 13f79535-47bb-0310-9956-ffa450edef68 --- hadoop-yarn-project/CHANGES.txt | 3 ++ .../hadoop/yarn/webapp/view/InfoBlock.java | 4 +- .../yarn/webapp/view/TestInfoBlock.java | 37 +++++++++++++++++++ 3 files changed, 42 insertions(+), 2 deletions(-) diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt index 2178effd406..81660d6e483 100644 --- a/hadoop-yarn-project/CHANGES.txt +++ b/hadoop-yarn-project/CHANGES.txt @@ -132,6 +132,9 @@ Release 2.4.1 - UNRELEASED YARN-1281. Fixed TestZKRMStateStoreZKClientConnections to not fail intermittently due to ZK-client timeouts. (Tsuyoshi Ozawa via vinodkv) + YARN-1932. Javascript injection on the job status page (Mit Desai via + jlowe) + Release 2.4.0 - 2014-04-07 INCOMPATIBLE CHANGES diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/InfoBlock.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/InfoBlock.java index 804de6ed0e4..9fe67f1a52b 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/InfoBlock.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/InfoBlock.java @@ -62,11 +62,11 @@ public class InfoBlock extends HtmlBlock { DIV>>>> singleLineDiv; for ( String line :lines) { singleLineDiv = td.div(); - singleLineDiv._r(line); + singleLineDiv._(line); singleLineDiv._(); } } else { - td._r(value); + td._(value); } td._(); } else { diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/view/TestInfoBlock.java b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/view/TestInfoBlock.java index fc574b7d912..4ec14348e51 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/view/TestInfoBlock.java +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/view/TestInfoBlock.java @@ -21,6 +21,7 @@ import java.io.PrintWriter; import java.io.StringWriter; +import static org.junit.Assert.assertFalse; import static org.junit.Assert.assertTrue; import org.apache.hadoop.yarn.webapp.ResponseInfo; @@ -34,6 +35,33 @@ public class TestInfoBlock { public static PrintWriter pw; + static final String JAVASCRIPT = ""; + static final String JAVASCRIPT_ESCAPED = + "<script>alert('text')</script>"; + + public static class JavaScriptInfoBlock extends InfoBlock{ + + static ResponseInfo resInfo; + + static { + resInfo = new ResponseInfo(); + resInfo._("User_Name", JAVASCRIPT); + } + + @Override + public PrintWriter writer() { + return TestInfoBlock.pw; + } + + JavaScriptInfoBlock(ResponseInfo info) { + super(resInfo); + } + + public JavaScriptInfoBlock() { + super(resInfo); + } + } + public static class MultilineInfoBlock extends InfoBlock{ static ResponseInfo resInfo; @@ -78,4 +106,13 @@ public void testMultilineInfoBlock() throws Exception{ + " This is second line.%n %n"); assertTrue(output.contains(expectedSinglelineData) && output.contains(expectedMultilineData)); } + + @Test(timeout=60000L) + public void testJavaScriptInfoBlock() throws Exception{ + WebAppTests.testBlock(JavaScriptInfoBlock.class); + TestInfoBlock.pw.flush(); + String output = TestInfoBlock.sw.toString(); + assertFalse(output.contains("