This is an automated email from the ASF dual-hosted git repository.
jongyoul pushed a commit to branch branch-0.11
in repository https://gitbox.apache.org/repos/asf/zeppelin.git
commit ca178c11c7ce1e7647652b3c47ba965d8c2375da
Author: Jongyoul Lee <jongy...@gmail.com>
AuthorDate: Sun Mar 10 12:38:17 2024 +0900
[HOTFIX] Escape HeliumPackage information (#4728)
(cherry picked from commit 83685795e0ec8d3059fd7a3dbcae5c0532b63b79)
---
.../org/apache/zeppelin/helium/HeliumPackage.java | 45 +++++++++++++++++++++-
.../apache/zeppelin/helium/SpellPackageInfo.java | 5 +++
.../zeppelin/helium/ApplicationLoaderTest.java | 3 +-
.../apache/zeppelin/helium/HeliumPackageTest.java | 3 +-
.../apache/zeppelin/rest/HeliumRestApiTest.java | 5 ++-
.../helium/HeliumApplicationFactoryTest.java | 9 +++--
.../zeppelin/helium/HeliumBundleFactoryTest.java | 13 ++++---
.../zeppelin/helium/HeliumLocalRegistryTest.java | 3 +-
.../org/apache/zeppelin/helium/HeliumTest.java | 9 +++--
9 files changed, 74 insertions(+), 21 deletions(-)
diff --git
a/zeppelin-interpreter/src/main/java/org/apache/zeppelin/helium/HeliumPackage.java
b/zeppelin-interpreter/src/main/java/org/apache/zeppelin/helium/HeliumPackage.java
index e9995c1066..51b0fcbe51 100644
---
a/zeppelin-interpreter/src/main/java/org/apache/zeppelin/helium/HeliumPackage.java
+++
b/zeppelin-interpreter/src/main/java/org/apache/zeppelin/helium/HeliumPackage.java
@@ -17,10 +17,16 @@
package org.apache.zeppelin.helium;
import com.google.gson.Gson;
+import org.apache.commons.text.StringEscapeUtils;
import org.apache.zeppelin.annotation.Experimental;
import org.apache.zeppelin.common.JsonSerializable;
+import java.util.Arrays;
+import java.util.HashMap;
import java.util.Map;
+import java.util.Optional;
+
+import static org.apache.commons.text.StringEscapeUtils.escapeHtml4;
/**
* Helium package definition
@@ -47,7 +53,7 @@ public class HeliumPackage implements JsonSerializable {
private SpellPackageInfo spell;
private Map<String, Object> config;
- public HeliumPackage(HeliumType type,
+ private HeliumPackage(HeliumType type,
String name,
String description,
String artifact,
@@ -140,6 +146,41 @@ public class HeliumPackage implements JsonSerializable {
}
public static HeliumPackage fromJson(String json) {
- return gson.fromJson(json, HeliumPackage.class);
+ return preventXss(gson.fromJson(json, HeliumPackage.class));
+ }
+
+ // This is only for test
+ public static HeliumPackage newHeliumPackage(HeliumType type,
+ String name,
+ String description,
+ String artifact,
+ String className,
+ String[][] resources,
+ String license,
+ String icon) {
+ return preventXss(new HeliumPackage(
+ type, name, description, artifact, className, resources, license,
icon));
+ }
+
+ private static HeliumPackage preventXss(HeliumPackage heliumPackage) {
+ heliumPackage.name = escapeHtml4(heliumPackage.name);
+ heliumPackage.description = escapeHtml4(heliumPackage.description);
+ heliumPackage.artifact = escapeHtml4(heliumPackage.artifact);
+ heliumPackage.className = escapeHtml4(heliumPackage.className);
+ heliumPackage.resources =
+ Optional.ofNullable(heliumPackage.getResources()).map(r ->
Arrays.stream(r)
+ .map(resource ->
Arrays.stream(resource).map(StringEscapeUtils::escapeHtml4)
+ .toArray(String[]::new))
+ .toArray(String[][]::new)).orElse(null);
+ heliumPackage.license = escapeHtml4(heliumPackage.license);
+ heliumPackage.published = escapeHtml4(heliumPackage.published);
+ heliumPackage.groupId = escapeHtml4(heliumPackage.groupId);
+ heliumPackage.artifactId = escapeHtml4(heliumPackage.artifactId);
+ heliumPackage.spell = Optional.ofNullable(heliumPackage.getSpellInfo())
+ .map(spellPackageInfo -> new SpellPackageInfo(
+ escapeHtml4(spellPackageInfo.getMagic()),
+ escapeHtml4(spellPackageInfo.getUsage())))
+ .orElse(null);
+ return heliumPackage;
}
}
diff --git
a/zeppelin-interpreter/src/main/java/org/apache/zeppelin/helium/SpellPackageInfo.java
b/zeppelin-interpreter/src/main/java/org/apache/zeppelin/helium/SpellPackageInfo.java
index 519d09d70e..52e17dbd3f 100644
---
a/zeppelin-interpreter/src/main/java/org/apache/zeppelin/helium/SpellPackageInfo.java
+++
b/zeppelin-interpreter/src/main/java/org/apache/zeppelin/helium/SpellPackageInfo.java
@@ -24,6 +24,11 @@ public class SpellPackageInfo {
private String magic;
private String usage;
+ public SpellPackageInfo(String magic, String usage) {
+ this.magic = magic;
+ this.usage = usage;
+ }
+
public String getMagic() {
return magic;
}
diff --git
a/zeppelin-interpreter/src/test/java/org/apache/zeppelin/helium/ApplicationLoaderTest.java
b/zeppelin-interpreter/src/test/java/org/apache/zeppelin/helium/ApplicationLoaderTest.java
index 21d3d751b8..52508b48dd 100644
---
a/zeppelin-interpreter/src/test/java/org/apache/zeppelin/helium/ApplicationLoaderTest.java
+++
b/zeppelin-interpreter/src/test/java/org/apache/zeppelin/helium/ApplicationLoaderTest.java
@@ -25,6 +25,7 @@ import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
+import static org.apache.zeppelin.helium.HeliumPackage.newHeliumPackage;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -74,7 +75,7 @@ class ApplicationLoaderTest {
}
public HeliumPackage createPackageInfo(String className, String artifact) {
- HeliumPackage app1 = new HeliumPackage(
+ HeliumPackage app1 = newHeliumPackage(
HeliumType.APPLICATION,
"name1",
"desc1",
diff --git
a/zeppelin-interpreter/src/test/java/org/apache/zeppelin/helium/HeliumPackageTest.java
b/zeppelin-interpreter/src/test/java/org/apache/zeppelin/helium/HeliumPackageTest.java
index 1d168d1448..4efeda7dca 100644
---
a/zeppelin-interpreter/src/test/java/org/apache/zeppelin/helium/HeliumPackageTest.java
+++
b/zeppelin-interpreter/src/test/java/org/apache/zeppelin/helium/HeliumPackageTest.java
@@ -17,6 +17,7 @@
package org.apache.zeppelin.helium;
+import static org.apache.commons.text.StringEscapeUtils.escapeHtml4;
import static org.junit.jupiter.api.Assertions.assertEquals;
import java.util.Map;
@@ -42,7 +43,7 @@ class HeliumPackageTest {
HeliumPackage p = HeliumPackage.fromJson(examplePackage);
assertEquals("%echo", p.getSpellInfo().getMagic());
- assertEquals("%echo <TEXT>", p.getSpellInfo().getUsage());
+ assertEquals(escapeHtml4("%echo <TEXT>"), p.getSpellInfo().getUsage());
}
@Test
diff --git
a/zeppelin-server/src/test/java/org/apache/zeppelin/rest/HeliumRestApiTest.java
b/zeppelin-server/src/test/java/org/apache/zeppelin/rest/HeliumRestApiTest.java
index 87af88507f..ed74641892 100644
---
a/zeppelin-server/src/test/java/org/apache/zeppelin/rest/HeliumRestApiTest.java
+++
b/zeppelin-server/src/test/java/org/apache/zeppelin/rest/HeliumRestApiTest.java
@@ -36,6 +36,7 @@ import java.util.List;
import java.util.Map;
import java.util.Set;
+import static org.apache.zeppelin.helium.HeliumPackage.newHeliumPackage;
import static org.hamcrest.MatcherAssert.assertThat;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -64,7 +65,7 @@ class HeliumRestApiTest extends AbstractTestRestApi {
HeliumTestRegistry registry = new HeliumTestRegistry("r1", "r1");
helium.clear();
- registry.add(new HeliumPackage(
+ registry.add(newHeliumPackage(
HeliumType.APPLICATION,
"name1",
"desc1",
@@ -74,7 +75,7 @@ class HeliumRestApiTest extends AbstractTestRestApi {
"",
""));
- registry.add(new HeliumPackage(
+ registry.add(newHeliumPackage(
HeliumType.APPLICATION,
"name2",
"desc2",
diff --git
a/zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumApplicationFactoryTest.java
b/zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumApplicationFactoryTest.java
index 95a3858885..574b4e2255 100644
---
a/zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumApplicationFactoryTest.java
+++
b/zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumApplicationFactoryTest.java
@@ -16,6 +16,7 @@
*/
package org.apache.zeppelin.helium;
+import static org.apache.zeppelin.helium.HeliumPackage.newHeliumPackage;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.fail;
import static org.mockito.Mockito.mock;
@@ -90,7 +91,7 @@ public class HeliumApplicationFactoryTest extends
AbstractInterpreterTest {
public void testLoadRunUnloadApplication()
throws IOException, ApplicationException, InterruptedException {
// given
- HeliumPackage pkg1 = new HeliumPackage(HeliumType.APPLICATION,
+ HeliumPackage pkg1 = newHeliumPackage(HeliumType.APPLICATION,
"name1",
"desc1",
"",
@@ -139,7 +140,7 @@ public class HeliumApplicationFactoryTest extends
AbstractInterpreterTest {
@Disabled
public void testUnloadOnParagraphRemove() throws IOException {
// given
- HeliumPackage pkg1 = new HeliumPackage(HeliumType.APPLICATION,
+ HeliumPackage pkg1 = newHeliumPackage(HeliumType.APPLICATION,
"name1",
"desc1",
"",
@@ -182,7 +183,7 @@ public class HeliumApplicationFactoryTest extends
AbstractInterpreterTest {
@Disabled
public void testUnloadOnInterpreterUnbind() throws IOException {
// given
- HeliumPackage pkg1 = new HeliumPackage(HeliumType.APPLICATION,
+ HeliumPackage pkg1 = newHeliumPackage(HeliumType.APPLICATION,
"name1",
"desc1",
"",
@@ -249,7 +250,7 @@ public class HeliumApplicationFactoryTest extends
AbstractInterpreterTest {
@Disabled
public void testUnloadOnInterpreterRestart() throws IOException,
InterpreterException {
// given
- HeliumPackage pkg1 = new HeliumPackage(HeliumType.APPLICATION,
+ HeliumPackage pkg1 = newHeliumPackage(HeliumType.APPLICATION,
"name1",
"desc1",
"",
diff --git
a/zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumBundleFactoryTest.java
b/zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumBundleFactoryTest.java
index 9c84251ee7..00f5bb0058 100644
---
a/zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumBundleFactoryTest.java
+++
b/zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumBundleFactoryTest.java
@@ -17,6 +17,7 @@
package org.apache.zeppelin.helium;
import static org.apache.zeppelin.helium.HeliumBundleFactory.HELIUM_LOCAL_REPO;
+import static org.apache.zeppelin.helium.HeliumPackage.newHeliumPackage;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertNotSame;
import static org.junit.jupiter.api.Assertions.assertNull;
@@ -72,7 +73,7 @@ public class HeliumBundleFactoryTest {
@Test
public void downloadPackage() throws TaskRunnerException {
HeliumPackage pkg =
- new HeliumPackage(
+ newHeliumPackage(
HeliumType.VISUALIZATION,
"lodash",
"lodash",
@@ -89,7 +90,7 @@ public class HeliumBundleFactoryTest {
@Test
public void bundlePackage() throws IOException, TaskRunnerException {
HeliumPackage pkg =
- new HeliumPackage(
+ newHeliumPackage(
HeliumType.VISUALIZATION,
"zeppelin-bubblechart",
"zeppelin-bubblechart",
@@ -114,7 +115,7 @@ public class HeliumBundleFactoryTest {
String localPkg = resDir + "/../../../src/test/resources/helium/vis1";
HeliumPackage pkg =
- new HeliumPackage(
+ newHeliumPackage(
HeliumType.VISUALIZATION,
"vis1",
"vis1",
@@ -135,7 +136,7 @@ public class HeliumBundleFactoryTest {
String localPkg = resDir + "/../../../src/test/resources/helium/vis2";
HeliumPackage pkg =
- new HeliumPackage(
+ newHeliumPackage(
HeliumType.VISUALIZATION,
"vis2",
"vis2",
@@ -161,7 +162,7 @@ public class HeliumBundleFactoryTest {
String resDir = new File(res.getFile()).getParent();
HeliumPackage pkgV1 =
- new HeliumPackage(
+ newHeliumPackage(
HeliumType.VISUALIZATION,
"zeppelin-bubblechart",
"zeppelin-bubblechart",
@@ -172,7 +173,7 @@ public class HeliumBundleFactoryTest {
"icon");
HeliumPackage pkgV2 =
- new HeliumPackage(
+ newHeliumPackage(
HeliumType.VISUALIZATION,
"zeppelin-bubblechart",
"zeppelin-bubblechart",
diff --git
a/zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumLocalRegistryTest.java
b/zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumLocalRegistryTest.java
index 972e461ffb..328656a58d 100644
---
a/zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumLocalRegistryTest.java
+++
b/zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumLocalRegistryTest.java
@@ -25,6 +25,7 @@ import org.junit.jupiter.api.Test;
import java.io.File;
import java.io.IOException;
+import static org.apache.zeppelin.helium.HeliumPackage.newHeliumPackage;
import static org.junit.jupiter.api.Assertions.assertEquals;
public class HeliumLocalRegistryTest {
@@ -50,7 +51,7 @@ public class HeliumLocalRegistryTest {
// when
Gson gson = new Gson();
- HeliumPackage pkg1 = new HeliumPackage(HeliumType.APPLICATION,
+ HeliumPackage pkg1 = newHeliumPackage(HeliumType.APPLICATION,
"app1",
"desc1",
"artifact1",
diff --git
a/zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumTest.java
b/zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumTest.java
index 021e6cb786..384103c262 100644
--- a/zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumTest.java
+++ b/zeppelin-zengine/src/test/java/org/apache/zeppelin/helium/HeliumTest.java
@@ -26,6 +26,7 @@ import java.io.File;
import java.io.IOException;
import java.net.URISyntaxException;
+import static org.apache.zeppelin.helium.HeliumPackage.newHeliumPackage;
import static org.junit.jupiter.api.Assertions.assertEquals;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -77,7 +78,7 @@ public class HeliumTest {
helium.addRegistry(registry2);
// when
- registry1.add(new HeliumPackage(
+ registry1.add(newHeliumPackage(
HeliumType.APPLICATION,
"name1",
"desc1",
@@ -87,7 +88,7 @@ public class HeliumTest {
"",
""));
- registry2.add(new HeliumPackage(
+ registry2.add(newHeliumPackage(
HeliumType.APPLICATION,
"name2",
"desc2",
@@ -110,7 +111,7 @@ public class HeliumTest {
helium.addRegistry(registry1);
// when
- registry1.add(new HeliumPackage(
+ registry1.add(newHeliumPackage(
HeliumType.APPLICATION,
"name1",
"desc1",
@@ -124,7 +125,7 @@ public class HeliumTest {
assertEquals(1, helium.getAllPackageInfo().size());
// when
- registry1.add(new HeliumPackage(
+ registry1.add(newHeliumPackage(
HeliumType.APPLICATION,
"name2",
"desc2",
