From c33d2bfdb6bb7730c5cdb0dcb289ada7d5946b3c Mon Sep 17 00:00:00 2001
From: Mohit Yadav <105265192+mohityadav766@users.noreply.github.com>
Date: Thu, 4 Jul 2024 11:54:22 +0530
Subject: [PATCH] Throw exception on HTML input for collect endpoint (#16919)

---
 openmetadata-service/pom.xml                  |  5 -----
 .../analytics/WebAnalyticEventResource.java   | 20 +++++++++----------
 2 files changed, 10 insertions(+), 15 deletions(-)

diff --git a/openmetadata-service/pom.xml b/openmetadata-service/pom.xml
index e63432c3e0b..795c2070c37 100644
--- a/openmetadata-service/pom.xml
+++ b/openmetadata-service/pom.xml
@@ -616,11 +616,6 @@
       <groupId>com.google.cloud</groupId>
       <artifactId>google-cloud-secretmanager</artifactId>
     </dependency>
-    <dependency>
-      <groupId>com.googlecode.owasp-java-html-sanitizer</groupId>
-      <artifactId>owasp-java-html-sanitizer</artifactId>
-      <version>20211018.2</version> 
-    </dependency>
   </dependencies>
 
   <profiles>
diff --git a/openmetadata-service/src/main/java/org/openmetadata/service/resources/analytics/WebAnalyticEventResource.java b/openmetadata-service/src/main/java/org/openmetadata/service/resources/analytics/WebAnalyticEventResource.java
index d05822ff54c..ceb25fd3a48 100644
--- a/openmetadata-service/src/main/java/org/openmetadata/service/resources/analytics/WebAnalyticEventResource.java
+++ b/openmetadata-service/src/main/java/org/openmetadata/service/resources/analytics/WebAnalyticEventResource.java
@@ -13,6 +13,7 @@ import io.swagger.v3.oas.annotations.tags.Tag;
 import java.io.IOException;
 import java.util.List;
 import java.util.UUID;
+import java.util.regex.Pattern;
 import javax.json.JsonPatch;
 import javax.validation.Valid;
 import javax.validation.constraints.Max;
@@ -56,8 +57,6 @@ import org.openmetadata.service.security.Authorizer;
 import org.openmetadata.service.security.policyevaluator.OperationContext;
 import org.openmetadata.service.util.JsonUtils;
 import org.openmetadata.service.util.ResultList;
-import org.owasp.html.PolicyFactory;
-import org.owasp.html.Sanitizers;
 
 @Slf4j
 @Path("/v1/analytics/web/events")
@@ -70,6 +69,7 @@ public class WebAnalyticEventResource
     extends EntityResource<WebAnalyticEvent, WebAnalyticEventRepository> {
   public static final String COLLECTION_PATH = WebAnalyticEventRepository.COLLECTION_PATH;
   static final String FIELDS = "owner";
+  private static final Pattern HTML_PATTERN = Pattern.compile(".*\\<[^>]+>.*", Pattern.DOTALL);
 
   public WebAnalyticEventResource(Authorizer authorizer, Limits limits) {
     super(Entity.WEB_ANALYTIC_EVENT, authorizer, limits);
@@ -573,8 +573,9 @@ public class WebAnalyticEventResource
       // Validate Json as type Custom Event
       CustomEvent customEventData = JsonUtils.convertValue(inputData, CustomEvent.class);
       if (customEventData.getEventType().equals(CustomEvent.CustomEventTypes.CLICK)) {
-        String sanatizedValue = sanitizeInput(customEventData.getEventValue());
-        customEventData.setEventValue(sanatizedValue);
+        if (containsHtml(customEventData.getEventValue())) {
+          throw new IllegalArgumentException("Invalid event value for custom event.");
+        }
         webAnalyticEventDataInput.setEventData(customEventData);
       } else {
         throw new IllegalArgumentException("Invalid event type for custom event");
@@ -586,11 +587,10 @@ public class WebAnalyticEventResource
     return webAnalyticEventDataInput;
   }
 
-  public static String sanitizeInput(String input) {
-    // Create a policy that allows only safe HTML
-    PolicyFactory policy = Sanitizers.FORMATTING.and(Sanitizers.LINKS);
-
-    // Sanitize the input
-    return policy.sanitize(input);
+  public static boolean containsHtml(String input) {
+    if (input == null || input.isEmpty()) {
+      return false;
+    }
+    return HTML_PATTERN.matcher(input).matches();
   }
 }