GEODE-10411: fix XSS vulnerability in pulse (apache#7836)

* GEODE-10411: fix XSS vulnerability in pulse - html encode data coming from Geode queries - add cookie parameters to increase browsing security * Fix spotless check errors
marcoman · Aug 26, 2022 · 1e6f850 · 1e6f850
1 parent de7834a
commit 1e6f850
Show file tree

Hide file tree

Showing 8 changed files with 234 additions and 132 deletions.
diff --git a/...-pulse-test/src/main/java/org/apache/geode/tools/pulse/tests/DataBrowserResultLoader.java b/...-pulse-test/src/main/java/org/apache/geode/tools/pulse/tests/DataBrowserResultLoader.java
@@ -17,13 +17,11 @@
 package org.apache.geode.tools.pulse.tests;
 
 import java.io.BufferedReader;
-import java.io.File;
-import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
-import java.net.URL;
 import java.nio.charset.StandardCharsets;
+import java.util.stream.Collectors;
 
 public class DataBrowserResultLoader {
   /* Constants for executing Data Browser queries */
@@ -33,7 +31,8 @@ public class DataBrowserResultLoader {
   public static final String QUERY_TYPE_FOUR = "query4";
   public static final String QUERY_TYPE_FIVE = "query5";
   public static final String QUERY_TYPE_SIX = "query6";
-  public static final String QUERY_TYPE_SEVENE = "query7";
+  public static final String QUERY_TYPE_SEVEN = "query7";
+  public static final String QUERY_TYPE_EIGHT = "query8";
 
   private static final DataBrowserResultLoader dbResultLoader = new DataBrowserResultLoader();
 
@@ -43,41 +42,46 @@ public static DataBrowserResultLoader getInstance() {
 
   public String load(String queryString) throws IOException {
 
-    URL url = null;
-    InputStream inputStream = null;
-    BufferedReader streamReader = null;
-    String inputStr = null;
-    StringBuilder sampleQueryResultResponseStrBuilder = null;
+    String fileName;
+    String fileContent = "";
 
     try {
-      ClassLoader classLoader = Thread.currentThread().getContextClassLoader();
 
-      if (queryString.equals(QUERY_TYPE_ONE)) {
-        url = classLoader.getResource("testQueryResultClusterSmall.txt");
-      } else if (queryString.equals(QUERY_TYPE_TWO)) {
-        url = classLoader.getResource("testQueryResultSmall.txt");
-      } else if (queryString.equals(QUERY_TYPE_THREE)) {
-        url = classLoader.getResource("testQueryResult.txt");
-      } else if (queryString.equals(QUERY_TYPE_FOUR)) {
-        url = classLoader.getResource("testQueryResultWithStructSmall.txt");
-      } else if (queryString.equals(QUERY_TYPE_FIVE)) {
-        url = classLoader.getResource("testQueryResultClusterWithStruct.txt");
-      } else if (queryString.equals(QUERY_TYPE_SIX)) {
-        url = classLoader.getResource("testQueryResultHashMapSmall.txt");
-      } else if (queryString.equals(QUERY_TYPE_SEVENE)) {
-        url = classLoader.getResource("testQueryResult1000.txt");
-      } else {
-        url = classLoader.getResource("testQueryResult.txt");
+      switch (queryString) {
+        case QUERY_TYPE_ONE:
+          fileName = "testQueryResultClusterSmall.txt";
+          break;
+        case QUERY_TYPE_TWO:
+          fileName = "testQueryResultSmall.txt";
+          break;
+        case QUERY_TYPE_THREE:
+          fileName = "testQueryResult.txt";
+          break;
+        case QUERY_TYPE_FOUR:
+          fileName = "testQueryResultWithStructSmall.txt";
+          break;
+        case QUERY_TYPE_FIVE:
+          fileName = "testQueryResultClusterWithStruct.txt";
+          break;
+        case QUERY_TYPE_SIX:
+          fileName = "testQueryResultHashMapSmall.txt";
+          break;
+        case QUERY_TYPE_SEVEN:
+          fileName = "testQueryResult1000.txt";
+          break;
+        case QUERY_TYPE_EIGHT:
+          fileName = "testQueryResultClusterSmallJSInject.txt";
+          break;
+        default:
+          fileName = "testQueryResult.txt";
+          break;
       }
 
-      File sampleQueryResultFile = new File(url.getPath());
-      inputStream = new FileInputStream(sampleQueryResultFile);
-      streamReader = new BufferedReader(new InputStreamReader(inputStream, StandardCharsets.UTF_8));
-      sampleQueryResultResponseStrBuilder = new StringBuilder();
-
-      while ((inputStr = streamReader.readLine()) != null) {
-        sampleQueryResultResponseStrBuilder.append(inputStr);
-      }
+      InputStream inputStream = getClass().getResourceAsStream("/" + fileName);
+      assert inputStream != null;
+      BufferedReader streamReader =
+          new BufferedReader(new InputStreamReader(inputStream, StandardCharsets.UTF_8));
+      fileContent = streamReader.lines().collect(Collectors.joining(System.lineSeparator()));
 
       // close stream reader
       streamReader.close();
@@ -86,6 +90,6 @@ public String load(String queryString) throws IOException {
       ex.printStackTrace();
     }
 
-    return sampleQueryResultResponseStrBuilder.toString();
+    return fileContent;
   }
 }
diff --git a/...ulse/geode-pulse-test/src/main/java/org/apache/geode/tools/pulse/tests/PulseTestData.java b/...ulse/geode-pulse-test/src/main/java/org/apache/geode/tools/pulse/tests/PulseTestData.java
@@ -94,13 +94,14 @@ public static class DataBrowser {
     public static final String partialRgnName = "R";
     public static final String chkRgnClassName = "bttn chk checkbox_true_full";
     public static final String notChkRgnClassName = "bttn chk checkbox_false_full";
+    public static final String resultClusterHeadingsXPath = "//div[@id='clusterDetails']/div/div";
+    public static final String resultClusterCellXPath =
+        "//tr/td[contains(@title, '<script>alert')]";
 
     public static final String regName = "R1";
     public static final String query1Text = "select * from " + SEPARATOR + "R1";
 
     public static final String datePattern = "EEE, MMM dd yyyy, HH:mm:ss z";
 
   }
-
-
 }
diff --git a/geode-pulse/geode-pulse-test/src/main/resources/testQueryResultClusterSmallJSInject.txt b/geode-pulse/geode-pulse-test/src/main/resources/testQueryResultClusterSmallJSInject.txt
@@ -0,0 +1,23 @@
+{"result":[
+    ["org.apache.geode.cache.query.data.PortfolioDummy",
+     {"type":["java.lang.String","type0"],"ID":["int",0],"active":["boolean",true],"pk":["java.lang.String","0"],"collectionHolderMapDummy":["java.util.HashMap",{"3":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"2":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"1":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"0":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}]}],"createTime":["long",0],"positions":["java.util.HashMap",{"YHOO":["org.apache.geode.cache.query.data.Position",{"id":["int",2],"secId":["java.lang.String","YHOO"],"mktValue":["double",3],"sharesOutstanding":["double",2000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}],"IBM":["org.apache.geode.cache.query.data.Position",{"id":["int",1],"secId":["java.lang.String","IBM"],"mktValue":["double",2],"sharesOutstanding":["double",1000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}]}],"p1":["org.apache.geode.cache.query.data.Position",{"id":["int",0],"secId":["java.lang.String","SUN"],"mktValue":["double",1],"sharesOutstanding":["double",0],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}],"p2":null,"floatMinValue":["float",1.4E-45],"longMinValue":["float",-9.223372E18],"doubleMinValue":["double",4.9E-324]}],
+
+    ["org.apache.geode.cache.query.data.Portfolio",
+     {"type":["java.lang.String","type0"],"ID":["int",0],"active":["boolean",true],"pk":["java.lang.String","0"],"collectionHolderMap":["java.util.HashMap",{"3":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"2":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"1":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"0":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}]}],"createTime":["long",0],"positions":["java.util.HashMap",{"YHOO":["org.apache.geode.cache.query.data.Position",{"id":["int",2],"secId":["java.lang.String","YHOO"],"mktValue":["double",3],"sharesOutstanding":["double",2000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}],"IBM":["org.apache.geode.cache.query.data.Position",{"id":["int",1],"secId":["java.lang.String","IBM"],"mktValue":["double",2],"sharesOutstanding":["double",1000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}]}],"p1":["org.apache.geode.cache.query.data.Position",{"id":["int",0],"secId":["java.lang.String","SUN"],"mktValue":["double",1],"sharesOutstanding":["double",0],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}],"p2":null,"floatMinValue":["float",1.4E-45],"longMinValue":["float",-9.223372E18],"doubleMinValue":["double",4.9E-324]}],
+
+    ["org.apache.geode.cache.query.data.Portfolio",
+     {"type":["java.lang.String","type1"],"ID":["int",1],"active":["boolean",false],"pk":["java.lang.String","1"],"collectionHolderMap":["java.util.HashMap",{"3":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"2":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"1":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"0":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}]}],"createTime":["long",0],"positions":["java.util.HashMap",{"AOL":["org.apache.geode.cache.query.data.Position",{"id":["int",5],"secId":["java.lang.String","AOL"],"mktValue":["double",6],"sharesOutstanding":["double",5000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}],"APPL":["org.apache.geode.cache.query.data.Position",{"id":["int",6],"secId":["java.lang.String","APPL"],"mktValue":["double",7],"sharesOutstanding":["double",6000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}]}],"p1":["org.apache.geode.cache.query.data.Position",{"id":["int",3],"secId":["java.lang.String","GOOG"],"mktValue":["double",4],"sharesOutstanding":["double",3000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}],"p2":["org.apache.geode.cache.query.data.Position",{"id":["int",4],"secId":["java.lang.String","MSFT"],"mktValue":["double",5],"sharesOutstanding":["double",4000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}],"floatMinValue":["float",1.4E-45],"longMinValue":["float",-9.223372E18],"doubleMinValue":["double",4.9E-324]}],
+
+    ["org.apache.geode.cache.query.data.Portfolio",
+     {"type":["java.lang.String","type2"],"ID":["int",2],"active":["boolean",true],"pk":["java.lang.String","2"],"collectionHolderMap":["java.util.HashMap",{"3":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"2":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"1":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"0":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}]}],"createTime":["long",0],"positions":["java.util.HashMap",{"SAP":["org.apache.geode.cache.query.data.Position",{"id":["int",8],"secId":["java.lang.String","SAP"],"mktValue":["double",9],"sharesOutstanding":["double",8000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}],"DELL":["org.apache.geode.cache.query.data.Position",{"id":["int",9],"secId":["java.lang.String","DELL"],"mktValue":["double",10],"sharesOutstanding":["double",9000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}]}],"p1":["org.apache.geode.cache.query.data.Position",{"id":["int",7],"secId":["java.lang.String","ORCL"],"mktValue":["double",8],"sharesOutstanding":["double",7000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}],"p2":null,"floatMinValue":["float",1.4E-45],"longMinValue":["float",-9.223372E18],"doubleMinValue":["double",4.9E-324]}],
+
+    ["org.apache.geode.cache.query.data.Portfolio",
+     {"type":["java.lang.String","type0"],"ID":["int",3],"active":["boolean",false],"pk":["java.lang.String","3"],"collectionHolderMap":["java.util.HashMap",{"3":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"2":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"1":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"0":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}]}],"createTime":["long",0],"positions":["java.util.HashMap",{"HP":["org.apache.geode.cache.query.data.Position",{"id":["int",12],"secId":["java.lang.String","HP"],"mktValue":["double",13],"sharesOutstanding":["double",12000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}],"SUN":["org.apache.geode.cache.query.data.Position",{"id":["int",13],"secId":["java.lang.String","SUN"],"mktValue":["double",14],"sharesOutstanding":["double",13000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}]}],"p1":["org.apache.geode.cache.query.data.Position",{"id":["int",10],"secId":["java.lang.String","RHAT"],"mktValue":["double",11],"sharesOutstanding":["double",10000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}],"p2":["org.apache.geode.cache.query.data.Position",{"id":["int",11],"secId":["java.lang.String","NOVL"],"mktValue":["double",12],"sharesOutstanding":["double",11000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}],"floatMinValue":["float",1.4E-45],"longMinValue":["float",-9.223372E18],"doubleMinValue":["double",4.9E-324]}],
+
+    ["org.apache.geode.cache.query.data.PortfolioDummy",
+     {"type":["java.lang.String","type1"],"ID":["int",4],"active":["boolean",true],"pk":["java.lang.String","4"],"collectionHolderMap":["java.util.HashMap",{"3":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"2":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"1":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"0":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}]}],"createTime":["long",0],"positions":["java.util.HashMap",{"YHOO":["org.apache.geode.cache.query.data.Position",{"id":["int",15],"secId":["java.lang.String","YHOO"],"mktValue":["double",16],"sharesOutstanding":["double",15000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}],"GOOG":["org.apache.geode.cache.query.data.Position",{"id":["int",16],"secId":["java.lang.String","GOOG"],"mktValue":["double",17],"sharesOutstanding":["double",16000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}]}],"p1":["org.apache.geode.cache.query.data.Position",{"id":["int",14],"secId":["java.lang.String","IBM"],"mktValue":["double",15],"sharesOutstanding":["double",14000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}],"p2":null,"floatMinValue":["float",1.4E-45],"longMinValue":["float",-9.223372E18],"doubleMinValue":["double",4.9E-324]}],
+
+    ["org.apache.geode.cache.query.data.Portfolio",
+     {"type":["java.lang.String","<script>alert('xss')</script>"],"ID":["int",5],"active":["boolean",false],"pk":["java.lang.String","5"],"collectionHolderMap":["java.util.HashMap",{"3":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"2":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"1":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}],"0":["org.apache.geode.cache.query.data.CollectionHolder",{"arr":["java.lang.String[]",["0","1","2","3","4","SUN","IBM","YHOO","GOOG","MSFT"]]}]}],"createTime":["long",0],"positions":["<script>alert('xss')</script>",{"APPL":["org.apache.geode.cache.query.data.Position",{"id":["int",19],"secId":["java.lang.String","<script>alert('APPL')</script>"],"mktValue":["double",20],"sharesOutstanding":["double",19000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}],"ORCL":["org.apache.geode.cache.query.data.Position",{"id":["int",20],"secId":["java.lang.String","ORCL"],"mktValue":["double",21],"sharesOutstanding":["double",20000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}]}],"p1":["org.apache.geode.cache.query.data.Position",{"id":["int",17],"secId":["java.lang.String","MSFT"],"mktValue":["double",18],"sharesOutstanding":["double",17000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}],"p2":["org.apache.geode.cache.query.data.Position",{"id":["int",18],"secId":["java.lang.String","AOL"],"mktValue":["double",19],"sharesOutstanding":["double",18000],"col":["java.util.HashSet",[["java.lang.String","1"],["java.lang.String","0"]]]}],"floatMinValue":["float",1.4E-45],"longMinValue":["float",-9.223372E18],"doubleMinValue":["double",4.9E-324]}]
+    ]
+}
diff --git a/geode-pulse/src/main/webapp/META-INF/context.xml b/geode-pulse/src/main/webapp/META-INF/context.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+
+<Context>
+
+    <!-- Add SameSite to the cookies for Tomcat -->
+    <CookieProcessor
+            sameSiteCookies="Strict" />
+
+</Context>
diff --git a/geode-pulse/src/main/webapp/WEB-INF/web.xml b/geode-pulse/src/main/webapp/WEB-INF/web.xml
@@ -43,6 +43,14 @@
     <param-name>spring.profiles.default</param-name>
     <param-value>pulse.authentication.default</param-value>
   </context-param>
+
+  <session-config>
+    <cookie-config>
+      <http-only>true</http-only>
+      <comment>__SAME_SITE_STRICT__</comment>
+    </cookie-config>
+  </session-config>
+
   <filter>
     <filter-name>springSecurityFilterChain</filter-name>
     <filter-class>org.springframework.web.filter.DelegatingFilterProxy</filter-class>