yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2025-06-27 04:22:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

Throw exception on HTML input for collect endpoint (#16919)

Browse Source
This commit is contained in:
Mohit Yadav 2024-07-04 11:54:22 +05:30 committed by GitHub
parent 80efc7075f
commit c33d2bfdb6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 10 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
openmetadata-service/pom.xml
View File

@ -616,11 +616,6 @@
<groupId>com.google.cloud</groupId>
<artifactId>google-cloud-secretmanager</artifactId>
</dependency>
<dependency>
<groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
<artifactId>owasp-java-html-sanitizer</artifactId>
<version>20211018.2</version>
</dependency>
</dependencies>
<profiles>

20
openmetadata-service/src/main/java/org/openmetadata/service/resources/analytics/WebAnalyticEventResource.java
View File

@ -13,6 +13,7 @@ import io.swagger.v3.oas.annotations.tags.Tag;
import java.io.IOException;
import java.util.List;
import java.util.UUID;
import java.util.regex.Pattern;
import javax.json.JsonPatch;
import javax.validation.Valid;
import javax.validation.constraints.Max;
@ -56,8 +57,6 @@ import org.openmetadata.service.security.Authorizer;
import org.openmetadata.service.security.policyevaluator.OperationContext;
import org.openmetadata.service.util.JsonUtils;
import org.openmetadata.service.util.ResultList;
import org.owasp.html.PolicyFactory;
import org.owasp.html.Sanitizers;
@Slf4j
@Path("/v1/analytics/web/events")
@ -70,6 +69,7 @@ public class WebAnalyticEventResource
extends EntityResource<WebAnalyticEvent, WebAnalyticEventRepository> {
public static final String COLLECTION_PATH = WebAnalyticEventRepository.COLLECTION_PATH;
static final String FIELDS = "owner";
private static final Pattern HTML_PATTERN = Pattern.compile(".*\\<[^>]+>.*", Pattern.DOTALL);
public WebAnalyticEventResource(Authorizer authorizer, Limits limits) {
super(Entity.WEB_ANALYTIC_EVENT, authorizer, limits);
@ -573,8 +573,9 @@ public class WebAnalyticEventResource
// Validate Json as type Custom Event
CustomEvent customEventData = JsonUtils.convertValue(inputData, CustomEvent.class);
if (customEventData.getEventType().equals(CustomEvent.CustomEventTypes.CLICK)) {
String sanatizedValue = sanitizeInput(customEventData.getEventValue());
customEventData.setEventValue(sanatizedValue);
if (containsHtml(customEventData.getEventValue())) {
throw new IllegalArgumentException("Invalid event value for custom event.");
}
webAnalyticEventDataInput.setEventData(customEventData);
} else {
throw new IllegalArgumentException("Invalid event type for custom event");
@ -586,11 +587,10 @@ public class WebAnalyticEventResource
return webAnalyticEventDataInput;
}
public static String sanitizeInput(String input) {
// Create a policy that allows only safe HTML
PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
// Sanitize the input
return policy.sanitize(input);
public static boolean containsHtml(String input) {
if (input == null || input.isEmpty()) {
return false;
}
return HTML_PATTERN.matcher(input).matches();
}
}