YARN-1932. Javascript injection on the job status page. Contributed b…

…y Mit Desai git-svn-id: https://svn.apache.org/repos/asf/hadoop/common/trunk@1588572 13f79535-47bb-0310-9956-ffa450edef68
serhiy · Apr 18, 2014 · d667df4 · d667df4
1 parent 8d569c2
commit d667df4
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 2 deletions.
diff --git a/hadoop-yarn-project/CHANGES.txt b/hadoop-yarn-project/CHANGES.txt
@@ -147,6 +147,9 @@ Release 2.4.1 - UNRELEASED
     YARN-1281. Fixed TestZKRMStateStoreZKClientConnections to not fail
     intermittently due to ZK-client timeouts. (Tsuyoshi Ozawa via vinodkv) 
 
+    YARN-1932. Javascript injection on the job status page (Mit Desai via
+    jlowe)
+
 Release 2.4.0 - 2014-04-07 
 
   INCOMPATIBLE CHANGES

diff --git a/...p-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/InfoBlock.java b/...p-yarn/hadoop-yarn-common/src/main/java/org/apache/hadoop/yarn/webapp/view/InfoBlock.java
@@ -62,11 +62,11 @@ public class InfoBlock extends HtmlBlock {
         	DIV<TD<TR<TABLE<DIV<Hamlet>>>>> singleLineDiv;
             for ( String line :lines) {
               singleLineDiv = td.div();
-              singleLineDiv._r(line);
+              singleLineDiv._(line);
               singleLineDiv._();
             }
           } else {
-            td._r(value);
+            td._(value);
           }
           td._();
         } else {

diff --git a/...rn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/view/TestInfoBlock.java b/...rn/hadoop-yarn-common/src/test/java/org/apache/hadoop/yarn/webapp/view/TestInfoBlock.java
@@ -21,6 +21,7 @@
 import java.io.PrintWriter;
 import java.io.StringWriter;
 
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 
 import org.apache.hadoop.yarn.webapp.ResponseInfo;
@@ -34,6 +35,33 @@ public class TestInfoBlock {
 
   public static PrintWriter pw;
 
+  static final String JAVASCRIPT = "<script>alert('text')</script>";
+  static final String JAVASCRIPT_ESCAPED =
+      "&lt;script&gt;alert('text')&lt;/script&gt;";
+
+  public static class JavaScriptInfoBlock extends InfoBlock{
+
+    static ResponseInfo resInfo;
+
+    static {
+      resInfo = new ResponseInfo();
+      resInfo._("User_Name", JAVASCRIPT);
+    }
+
+    @Override
+    public PrintWriter writer() {
+      return TestInfoBlock.pw;
+    }
+
+    JavaScriptInfoBlock(ResponseInfo info) {
+      super(resInfo);
+    }
+
+    public JavaScriptInfoBlock() {
+      super(resInfo);
+    }
+  }
+
   public static class MultilineInfoBlock extends InfoBlock{
 
     static ResponseInfo resInfo;
@@ -78,4 +106,13 @@ public void testMultilineInfoBlock() throws Exception{
       + " This is second line.%n </div>%n");
     assertTrue(output.contains(expectedSinglelineData) && output.contains(expectedMultilineData));
   }
+
+  @Test(timeout=60000L)
+  public void testJavaScriptInfoBlock() throws Exception{
+    WebAppTests.testBlock(JavaScriptInfoBlock.class);
+    TestInfoBlock.pw.flush();
+    String output = TestInfoBlock.sw.toString();
+    assertFalse(output.contains("<script>"));
+    assertTrue(output.contains(JAVASCRIPT_ESCAPED));
+  }
 }