This is an automated email from the ASF dual-hosted git repository.
dineshkumar pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git
The following commit(s) were added to refs/heads/master by this push:
new f1e6e2e9a RANGER-4461 : Implement best coding practices for validating
user input
f1e6e2e9a is described below
commit f1e6e2e9a68558d26a0e3d539bf85228ae71ccdc
Author: Dhaval.Rajpara <[email protected]>
AuthorDate: Mon Oct 16 12:39:31 2023 +0530
RANGER-4461 : Implement best coding practices for validating user input
Signed-off-by: Dineshkumar Yadav <[email protected]>
---
security-admin/src/main/webapp/scripts/modules/XAOverrides.js | 4 ++--
security-admin/src/main/webapp/scripts/utils/XAUtils.js | 6 +++---
.../src/main/webapp/scripts/views/kms/KMSTableLayout.js | 2 +-
.../webapp/scripts/views/permissions/ModulePermissionForm.js | 10 +++++-----
.../src/main/webapp/scripts/views/policies/PermissionList.js | 10 +++++-----
.../webapp/scripts/views/policies/RangerPolicyConditions.js | 4 ++--
.../src/main/webapp/scripts/views/policies/RangerPolicyForm.js | 2 +-
.../main/webapp/scripts/views/reports/OperationDiffDetail.js | 4 ++--
.../src/main/webapp/scripts/views/reports/UserAccessLayout.js | 6 +++---
.../src/main/webapp/scripts/views/service/AuditFilterConfig.js | 6 +++---
.../src/main/webapp/scripts/views/users/UserTableLayout.js | 2 +-
11 files changed, 28 insertions(+), 28 deletions(-)
diff --git a/security-admin/src/main/webapp/scripts/modules/XAOverrides.js
b/security-admin/src/main/webapp/scripts/modules/XAOverrides.js
index 369b0f65a..c2f8151db 100644
--- a/security-admin/src/main/webapp/scripts/modules/XAOverrides.js
+++ b/security-admin/src/main/webapp/scripts/modules/XAOverrides.js
@@ -826,7 +826,7 @@
.attr('placeholder','Select component');
var optionList = _.keys(this.servicePerms);
_.each(optionList, function (val, el) {
- $selectComp.append("<option>" + val + "</option>");
+ $selectComp.append("<option>" + _.escape(val) +
"</option>");
});
var $table = $('<table>', {'class':'table
table-policy-condition table-perms margin-top-6' });
var $tbody = $('<tbody><tr><th><input type="checkbox"
data-id="selectAllComponent" />
Component</th><td><strong>Permissions</strong></td></tr></tbody>');
@@ -939,7 +939,7 @@
}
},
addTr : function(compName){
- var $tr = $('<tr data-id="'+compName+'">'), $th =
$('<th>'), $label = '<label><input type="checkbox" data-id="selectall"
data-type="'+compName+'"></label>'+compName;
+ var $tr = $('<tr data-id="'+_.escape(compName)+'">'), $th =
$('<th>'), $label = '<label><input type="checkbox" data-id="selectall"
data-type="'+_.escape(compName)+'"></label>'+_.escape(compName);
var $tmp = $th.append($label);
var $td = $('<td>');
var permissions = this.servicePerms[compName]
diff --git a/security-admin/src/main/webapp/scripts/utils/XAUtils.js
b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
index 3c5907099..cf4afe4c4 100644
--- a/security-admin/src/main/webapp/scripts/utils/XAUtils.js
+++ b/security-admin/src/main/webapp/scripts/utils/XAUtils.js
@@ -213,7 +213,7 @@ define(function(require) {
$.notify({
icon: 'fa-fw fa fa-exclamation-circle',
title: '<strong>Info!</strong>',
- message: text
+ message: _.escape(text)
});
};
@@ -231,7 +231,7 @@ define(function(require) {
$.notify({
icon: 'fa-fw fa fa-exclamation-triangle',
title: '<strong>Error!</strong>',
- message: text
+ message: _.escape(text)
},{
type: 'danger',
});
@@ -251,7 +251,7 @@ define(function(require) {
$.notify({
icon: 'fa-fw fa fa-check-circle',
title: '<strong>Success!</strong>',
- message: text
+ message: _.escape(text)
},{
type: 'success'
});
diff --git a/security-admin/src/main/webapp/scripts/views/kms/KMSTableLayout.js
b/security-admin/src/main/webapp/scripts/views/kms/KMSTableLayout.js
index 011649200..9af2512dc 100755
--- a/security-admin/src/main/webapp/scripts/views/kms/KMSTableLayout.js
+++ b/security-admin/src/main/webapp/scripts/views/kms/KMSTableLayout.js
@@ -200,7 +200,7 @@ define(function(require){
fromRaw: function (rawValue) {
var html = '';
_.each(rawValue,
function(val, key) {
- html += key+'
<i class="fa-fw fa fa-long-arrow-right fa-fw fa fa-3"></i> '+val+'<br/>';
+ html +=
_.escape(key)+' <i class="fa-fw fa fa-long-arrow-right fa-fw fa fa-3"></i>
'+_.escape(val)+'<br/>';
});
return html;
}
diff --git
a/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionForm.js
b/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionForm.js
index 7b8c4c809..ef3e8f67f 100644
---
a/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionForm.js
+++
b/security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionForm.js
@@ -138,13 +138,13 @@ define(function(require) {
if(userListData &&!_.isEmpty(userListData)) {
var i , j;
for(var i=0,j=0; i<=j+200 && userListData.length > i; i++){
- that.$el.find('.selectedUserList').append('<span
class="selected-widget"><i class="icon remove fa-fw fa fa-remove"
data-id="'+userListData[i].userId+'"></i> '+userListData[i].userName+'</span>')
+ that.$el.find('.selectedUserList').append('<span
class="selected-widget"><i class="icon remove fa-fw fa fa-remove"
data-id="'+userListData[i].userId+'"></i> '+_.escape(userListData[i].userName)+'</span>')
}
that.$el.find('.selectedUserList').scroll(function(position) {
if (position.currentTarget.scrollHeight <=
(position.currentTarget.clientHeight + position.currentTarget.scrollTop) + 10) {
j = i;
for(i; i<=j+200 && userListData.length > i; i++){
- that.$el.find('.selectedUserList').append('<span
class="selected-widget"><i class="icon remove fa-fw fa fa-remove"
data-id="'+userListData[i].userId+'"></i> '+userListData[i].userName+'</span>')
+ that.$el.find('.selectedUserList').append('<span
class="selected-widget"><i class="icon remove fa-fw fa fa-remove"
data-id="'+userListData[i].userId+'"></i> '+_.escape(userListData[i].userName)+'</span>')
}
that.$el.find('[data-js="selectedUserList"] span
i').on('click', that.removeUser.bind(that));
}
@@ -157,13 +157,13 @@ define(function(require) {
if (groupListData && !_.isEmpty(groupListData)) {
var m , n;
for(var m=0,n=0; m<=n+200 && groupListData.length > m; m++){
- that.$el.find('.selectedGroupList').append('<span
class="selected-widget"><i class="icon remove fa-fw fa fa-remove"
data-id="'+groupListData[m].groupId+'"></i> '+groupListData[m].groupName+'</span>')
+ that.$el.find('.selectedGroupList').append('<span
class="selected-widget"><i class="icon remove fa-fw fa fa-remove"
data-id="'+groupListData[m].groupId+'"></i> '+_.escape(groupListData[m].groupName)+'</span>')
}
that.$el.find('.selectedGroupList').scroll(function(position) {
if (position.currentTarget.scrollHeight <=
(position.currentTarget.clientHeight + position.currentTarget.scrollTop) + 10) {
n = m;
for(m; m<=n+200 && groupListData.length > m; m++){
- that.$el.find('.selectedGroupList').append('<span
class="selected-widget"><i class="icon remove fa-fw fa fa-remove"
data-id="'+groupListData[m].groupId+'"></i> '+groupListData[m].groupName+'</span>')
+ that.$el.find('.selectedGroupList').append('<span
class="selected-widget"><i class="icon remove fa-fw fa fa-remove"
data-id="'+groupListData[m].groupId+'"></i> '+_.escape(groupListData[m].groupName)+'</span>')
}
that.$el.find('[data-js="selectedGroupList"] span
i').on('click', that.removeGroup.bind(that));
}
@@ -253,7 +253,7 @@ define(function(require) {
var vals = [],selectedVals = [];
var added = options.textKey == 'groupName' ?
this.addedGroups : this.addedUsers;
if(!_.isEmpty(added)){
- selectedVals = _.map(added, function(obj){
return obj.text; });
+ selectedVals = _.map(added, function(obj){
return _.escape(obj.text); });
}
vals.push.apply(vals , selectedVals);
return vals;
diff --git
a/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js
b/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js
index ca3db854d..cd3730bba 100644
--- a/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js
+++ b/security-admin/src/main/webapp/scripts/views/policies/PermissionList.js
@@ -347,7 +347,7 @@ define(function(require) {
if(!_.isUndefined(id)){
var obj =
_.findWhere(that.rangerServiceDefModel.attributes.accessTypes,{'name' : id});
permTypeArr.push({permType : obj.value});
- return "<span
class='badge badge-info'>" + obj.label + "</span>";
+ return "<span
class='badge badge-info'>" + _.escape(obj.label) + "</span>";
}
});
var items=[];
@@ -529,7 +529,7 @@ define(function(require) {
if(!_.isUndefined(id)){
var obj =
_.findWhere(srcData,{'value' : id});
permTypeArr.push({permType : obj.value});
- return "<span
class='badge badge-info'>" + id.substr(0,id.indexOf(":")).toUpperCase() +
"</span>";
+ return "<span
class='badge badge-info'>" +
_.escape(id.substr(0,id.indexOf(":"))).toUpperCase() + "</span>";
}
});
var items=[];
@@ -641,8 +641,8 @@ define(function(require) {
$(this).siblings('[data-id="maskTypeCustom"]').val(" ");
}
- $(this).html("<span class='badge
badge-info'>"+ value.substr(0,value.indexOf(":")).toUpperCase() +" : "
- + obj.text +"</span>");
+ $(this).html("<span class='badge
badge-info'>"+ _.escape(value.substr(0,value.indexOf(":"))).toUpperCase() +" : "
+ + _.escape(obj.text)
+"</span>");
that.ui.addMaskingTypeSpan.find('i').attr('class', 'fa-fw fa fa-pencil');
that.ui.addMaskingTypeSpan.attr('title','edit');
},
@@ -946,7 +946,7 @@ define(function(require) {
$(this).siblings('[data-id="maskTypeCustom"]').val(" ")
}
- $(this).html("<span class='badge
badge-info'>" + obj.text + "</span>");
+ $(this).html("<span class='badge
badge-info'>" + _.escape(obj.text) + "</span>");
that.ui.addMaskingTypeSpan.find('i').attr('class', 'fa-fw fa fa-pencil');
that.ui.addMaskingTypeSpan.attr('title','edit');
},
diff --git
a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyConditions.js
b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyConditions.js
index d6c5295c1..734b9e7af 100644
---
a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyConditions.js
+++
b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyConditions.js
@@ -70,7 +70,7 @@ define(function(require){
if(m.type == inputFieldName){
tag = _.map(m.values.filter(Boolean),
function(val){
if(!_.isEmpty(val)){
- return{'id':_.escape(val),
'text':_.escape(val)}
+ return{'id':val, 'text':val}
}
});
}
@@ -88,7 +88,7 @@ define(function(require){
callback(tag);
},
createSearchChoice: function(term, data) {
- term = _.escape(term);
+ term = term;
if ($(data).filter(function() {
return this.text.localeCompare(term) === 0;
}).length === 0) {
diff --git
a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js
b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js
index 118dfe215..394b161ad 100644
--- a/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js
+++ b/security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js
@@ -239,7 +239,7 @@ define(function(require){
_.each(that.model.get('conditions'), function(val){
console.log(that);
var conditionName =
that.rangerServiceDefModel.get('policyConditions').find(function(m){return
m.name == val.type});
- $data.push('<tr><td
width="40%">'+_.escape(conditionName.label)+'</td><td
width="60%">'+(val.values).toString()+'</td></tr>')
+ $data.push('<tr><td
width="40%">'+_.escape(conditionName.label)+'</td><td
width="60%">'+_.escape((val.values).toString())+'</td></tr>')
});
if($data.length > 0){
that.$el.find(that.ui.conditionData).html($data);
diff --git
a/security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js
b/security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js
index 40cfd6d62..6b3894849 100644
---
a/security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js
+++
b/security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js
@@ -243,9 +243,9 @@ define(function(require){
this.collection.each(function(m){
if(m.get('attributeName') == 'Group Name'){
if(m.get('action') == 'create' ||
m.get('action') == 'update')
-
that.newGroupList.push(m.get('parentObjectName'));
+
that.newGroupList.push(_.escape(m.get('parentObjectName')));
if(m.get('action') == 'delete' ||
m.get('action') == 'update')
-
that.previousGroupList.push(m.get('parentObjectName'));
+
that.previousGroupList.push(_.escape(m.get('parentObjectName')));
modelArr.push(m);
} else if(m.get('attributeName') == 'User
Role'){
var newRole;
diff --git
a/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js
b/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js
index ebdd2a0b2..b7bae7b1b 100644
--- a/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js
+++ b/security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js
@@ -384,9 +384,9 @@ define(function(require) {'use strict';
var access_str = '';
_.each(model.get('accesses'),function(access,index){
if(index < 4){
-
access_str += '<span class="badge badge-info cellWidth-1 float-left-margin-2"
access-policy-id="'+model.cid+'" style="">' + access.type+'</span>' + " ";
+
access_str += '<span class="badge badge-info cellWidth-1 float-left-margin-2"
access-policy-id="'+model.cid+'" style="">' + _.escape(access.type)+'</span>'
+ " ";
} else {
-
access_str += '<span class="badge badge-info cellWidth-1 float-left-margin-2"
access-policy-id="'+model.cid+'" style="display:none">' +
access.type+'</span>'+ " ";
+
access_str += '<span class="badge badge-info cellWidth-1 float-left-margin-2"
access-policy-id="'+model.cid+'" style="display:none">' +
_.escape(access.type)+'</span>'+ " ";
}
});
if(model.get('accesses').length > 4) {
@@ -566,7 +566,7 @@ define(function(require) {'use strict';
fromRaw: function (rawValue,
model) {
var labels ="";
if(!_.isUndefined(rawValue) && rawValue.length != 0){
- return '<span
class="badge badge-dark" style="float:inherit;">'+rawValue+'</span>'
+ return '<span
class="badge badge-dark" style="float:inherit;">'+_.escape(rawValue)+'</span>'
}else{
return '<span
style="float:inherit;">'+"--"+'</span>';
}
diff --git
a/security-admin/src/main/webapp/scripts/views/service/AuditFilterConfig.js
b/security-admin/src/main/webapp/scripts/views/service/AuditFilterConfig.js
index 27e2aaecb..c518cb2de 100644
--- a/security-admin/src/main/webapp/scripts/views/service/AuditFilterConfig.js
+++ b/security-admin/src/main/webapp/scripts/views/service/AuditFilterConfig.js
@@ -184,7 +184,7 @@ define(function(require) {
if(!_.isUndefined(id)){
var obj =
_.findWhere(that.rangerServiceDefModel.attributes.accessTypes,{'name' : id});
permTypeArr.push({permType : obj.value});
- return "<span class='badge badge-info'>" +
obj.label + "</span>";
+ return "<span class='badge badge-info'>" +
_.escape(obj.label) + "</span>";
}
});
that.model.set('accessTypes', values);
@@ -269,7 +269,7 @@ define(function(require) {
if(!_.isUndefined(id)){
var obj = _.findWhere(srcData,{'value' : id});
permTypeArr.push({permType : obj.value});
- return "<span class='badge badge-info'>" +
id.substr(0,id.indexOf(":")).toUpperCase() + "</span>";
+ return "<span class='badge badge-info'>" +
_.escape(id.substr(0,id.indexOf(":"))).toUpperCase() + "</span>";
}
});
// Save form data to model
@@ -391,7 +391,7 @@ define(function(require) {
var isRecursive = key.isRecursive ?
XAEnums.RecursiveStatus.STATUS_RECURSIVE.label :
XAEnums.RecursiveStatus.STATUS_NONRECURSIVE.label;
$toggleBtn += '<span class="badge badge-dark
pull-right">'+isRecursive+'</span>'
}
- $dataResources += '<div class="resourcesFilter"><div><b>'
+ value + '</b>:' + key.values.join(', ') +'</div>' + $toggleBtn +'</div>'
+ $dataResources += '<div class="resourcesFilter"><div><b>'
+ value + '</b>:' + _.escape(key.values.join(', ')) +'</div>' + $toggleBtn
+'</div>'
})
$dataResources += '</div>'
this.$el.find('.js-formInput').html($dataResources);
diff --git
a/security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js
b/security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js
index d443327c8..700e4b8b0 100755
--- a/security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js
+++ b/security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js
@@ -631,7 +631,7 @@ define(function(require){
sortable : false,
formatter : _.extend({}, Backgrid.CellFormatter.prototype,
{
fromRaw : function (rawValue,model) {
- return ('<div align="center"><button
class="userViewicon" title = "View Users" data-js="showUserList" data-name="' +
model.get('name')
+ return ('<div align="center"><button
class="userViewicon" title = "View Users" data-js="showUserList" data-name="' +
_.escape(model.get('name'))
+ '" data-id="' + model.id + '"<font
color="black"><i class="fa-fw fa fa-group"> </i></font></button></div>');
}
}),
