RANGER-4461 : Implement best coding practices for validating user input

Signed-off-by: Dineshkumar Yadav <[email protected]>

security-admin/src/main/webapp/scripts/modules/XAOverrides.js

@@ -826,7 +826,7 @@
 	              								 .attr('placeholder','Select component');
 	              var optionList = _.keys(this.servicePerms);
 	              _.each(optionList, function (val, el) {
-	            	  $selectComp.append("<option>" + val + "</option>");
+                      $selectComp.append("<option>" + _.escape(val) + "</option>");
 	              }); 
 	              var $table = $('<table>', {'class':'table table-policy-condition table-perms margin-top-6' });
 	              var $tbody = $('<tbody><tr><th><input type="checkbox" data-id="selectAllComponent" /> Component</th><td><strong>Permissions</strong></td></tr></tbody>');
@@ -939,7 +939,7 @@
 	             }
 	          },
 	          addTr : function(compName){
-        		  var $tr = $('<tr data-id="'+compName+'">'), $th = $('<th>'), $label = '<label><input type="checkbox" data-id="selectall" data-type="'+compName+'"></label>'+compName;
+                  var $tr = $('<tr data-id="'+_.escape(compName)+'">'), $th = $('<th>'), $label = '<label><input type="checkbox" data-id="selectall" data-type="'+_.escape(compName)+'"></label>'+_.escape(compName);
         		  var $tmp = $th.append($label);
         		  var $td = $('<td>');
         		  var permissions = this.servicePerms[compName]

security-admin/src/main/webapp/scripts/utils/XAUtils.js

@@ -213,7 +213,7 @@ define(function(require) {
 		$.notify({
 			icon: 'fa-fw fa fa-exclamation-circle',
 			title: '<strong>Info!</strong>',
-			message: text
+			message: _.escape(text)
 		});
 	};
 
@@ -231,7 +231,7 @@ define(function(require) {
 		$.notify({
 			icon: 'fa-fw fa fa-exclamation-triangle',
 			title: '<strong>Error!</strong>',
-			message: text
+			message: _.escape(text)
 		},{
 			type: 'danger',
 		});
@@ -251,7 +251,7 @@ define(function(require) {
 		$.notify({
 			icon: 'fa-fw fa fa-check-circle',
 			title: '<strong>Success!</strong>',
-			message: text
+			message: _.escape(text)
 		},{
 			type: 'success'
 		});

security-admin/src/main/webapp/scripts/views/kms/KMSTableLayout.js

@@ -200,7 +200,7 @@ define(function(require){
 						fromRaw: function (rawValue) {
 							var html = '';
 							_.each(rawValue, function(val, key) {
-								html += key+' <i class="fa-fw fa fa-long-arrow-right fa-fw fa fa-3"></i>  '+val+'<br/>';
+								html += _.escape(key)+' <i class="fa-fw fa fa-long-arrow-right fa-fw fa fa-3"></i>  '+_.escape(val)+'<br/>';
 							});
 							return html;
 						}	

security-admin/src/main/webapp/scripts/views/permissions/ModulePermissionForm.js

@@ -138,13 +138,13 @@ define(function(require) {
             if(userListData &&!_.isEmpty(userListData)) {
                 var i , j;
                 for(var i=0,j=0; i<=j+200 && userListData.length > i; i++){
-                    that.$el.find('.selectedUserList').append('<span class="selected-widget"><i class="icon remove fa-fw fa fa-remove" data-id="'+userListData[i].userId+'"></i>&nbsp;'+userListData[i].userName+'</span>')
+                    that.$el.find('.selectedUserList').append('<span class="selected-widget"><i class="icon remove fa-fw fa fa-remove" data-id="'+userListData[i].userId+'"></i>&nbsp;'+_.escape(userListData[i].userName)+'</span>')
                 }
                 that.$el.find('.selectedUserList').scroll(function(position) {
                     if (position.currentTarget.scrollHeight <= (position.currentTarget.clientHeight + position.currentTarget.scrollTop) + 10) {
                         j = i;
                         for(i; i<=j+200 && userListData.length > i; i++){
-                            that.$el.find('.selectedUserList').append('<span class="selected-widget"><i class="icon remove fa-fw fa fa-remove" data-id="'+userListData[i].userId+'"></i>&nbsp;'+userListData[i].userName+'</span>')
+                            that.$el.find('.selectedUserList').append('<span class="selected-widget"><i class="icon remove fa-fw fa fa-remove" data-id="'+userListData[i].userId+'"></i>&nbsp;'+_.escape(userListData[i].userName)+'</span>')
                         }
                         that.$el.find('[data-js="selectedUserList"] span i').on('click', that.removeUser.bind(that));
                     }
@@ -157,13 +157,13 @@ define(function(require) {
             if (groupListData && !_.isEmpty(groupListData)) {
                 var m , n;
                 for(var m=0,n=0; m<=n+200 && groupListData.length > m; m++){
-                    that.$el.find('.selectedGroupList').append('<span class="selected-widget"><i class="icon remove fa-fw fa fa-remove" data-id="'+groupListData[m].groupId+'"></i>&nbsp;'+groupListData[m].groupName+'</span>')
+                    that.$el.find('.selectedGroupList').append('<span class="selected-widget"><i class="icon remove fa-fw fa fa-remove" data-id="'+groupListData[m].groupId+'"></i>&nbsp;'+_.escape(groupListData[m].groupName)+'</span>')
                 }
                 that.$el.find('.selectedGroupList').scroll(function(position) {
                     if (position.currentTarget.scrollHeight <= (position.currentTarget.clientHeight + position.currentTarget.scrollTop) + 10) {
                         n = m;
                         for(m; m<=n+200 && groupListData.length > m; m++){
-                            that.$el.find('.selectedGroupList').append('<span class="selected-widget"><i class="icon remove fa-fw fa fa-remove" data-id="'+groupListData[m].groupId+'"></i>&nbsp;'+groupListData[m].groupName+'</span>')
+                            that.$el.find('.selectedGroupList').append('<span class="selected-widget"><i class="icon remove fa-fw fa fa-remove" data-id="'+groupListData[m].groupId+'"></i>&nbsp;'+_.escape(groupListData[m].groupName)+'</span>')
                         }
                         that.$el.find('[data-js="selectedGroupList"] span i').on('click', that.removeGroup.bind(that));
                     }
@@ -253,7 +253,7 @@ define(function(require) {
 			var vals = [],selectedVals = [];
                         var added = options.textKey == 'groupName' ? this.addedGroups : this.addedUsers;
                         if(!_.isEmpty(added)){
-                                selectedVals = _.map(added, function(obj){ return obj.text; });
+                                selectedVals = _.map(added, function(obj){ return _.escape(obj.text); });
 			}
 			vals.push.apply(vals , selectedVals);
 			return vals;

security-admin/src/main/webapp/scripts/views/policies/PermissionList.js

@@ -347,7 +347,7 @@ define(function(require) {
                         	if(!_.isUndefined(id)){
                         		var obj = _.findWhere(that.rangerServiceDefModel.attributes.accessTypes,{'name' : id});
 								permTypeArr.push({permType : obj.value});
-								return "<span class='badge badge-info'>" + obj.label + "</span>";
+								return "<span class='badge badge-info'>" + _.escape(obj.label) + "</span>";
                         	}
                         });
                         var items=[];
@@ -529,7 +529,7 @@ define(function(require) {
 						if(!_.isUndefined(id)){
 							var obj = _.findWhere(srcData,{'value' : id});
 							permTypeArr.push({permType : obj.value});
-							return "<span class='badge badge-info'>" + id.substr(0,id.indexOf(":")).toUpperCase() + "</span>";
+							return "<span class='badge badge-info'>" + _.escape(id.substr(0,id.indexOf(":"))).toUpperCase() + "</span>";
 						}
 					});
 					var items=[];
@@ -641,8 +641,8 @@ define(function(require) {
 						$(this).siblings('[data-id="maskTypeCustom"]').val(" ");
 					}
 
-					$(this).html("<span class='badge badge-info'>"+ value.substr(0,value.indexOf(":")).toUpperCase() +" : "
-							+ obj.text +"</span>");
+					$(this).html("<span class='badge badge-info'>"+ _.escape(value.substr(0,value.indexOf(":"))).toUpperCase() +" : "
+							+ _.escape(obj.text) +"</span>");
 					that.ui.addMaskingTypeSpan.find('i').attr('class', 'fa-fw fa fa-pencil');
 					that.ui.addMaskingTypeSpan.attr('title','edit');
 				},
@@ -946,7 +946,7 @@ define(function(require) {
                                                 $(this).siblings('[data-id="maskTypeCustom"]').val(" ")
 					}
 
-					$(this).html("<span class='badge badge-info'>" + obj.text + "</span>");
+					$(this).html("<span class='badge badge-info'>" + _.escape(obj.text) + "</span>");
 					that.ui.addMaskingTypeSpan.find('i').attr('class', 'fa-fw fa fa-pencil');
 					that.ui.addMaskingTypeSpan.attr('title','edit');
 				},

security-admin/src/main/webapp/scripts/views/policies/RangerPolicyConditions.js

@@ -70,7 +70,7 @@ define(function(require){
                         if(m.type == inputFieldName){
                             tag = _.map(m.values.filter(Boolean), function(val){
                                 if(!_.isEmpty(val)){
-                                    return{'id':_.escape(val), 'text':_.escape(val)}
+                                    return{'id':val, 'text':val}
                                 }
                             });
                         }
@@ -88,7 +88,7 @@ define(function(require){
                         callback(tag);
                     },
                     createSearchChoice: function(term, data) {
-                        term = _.escape(term);
+                        term = term;
                         if ($(data).filter(function() {
                             return this.text.localeCompare(term) === 0;
                         }).length === 0) {

security-admin/src/main/webapp/scripts/views/policies/RangerPolicyForm.js

@@ -239,7 +239,7 @@ define(function(require){
                     _.each(that.model.get('conditions'), function(val){
                         console.log(that);
                         var conditionName = that.rangerServiceDefModel.get('policyConditions').find(function(m){return m.name == val.type});
-                        $data.push('<tr><td width="40%">'+_.escape(conditionName.label)+'</td><td width="60%">'+(val.values).toString()+'</td></tr>')
+                        $data.push('<tr><td width="40%">'+_.escape(conditionName.label)+'</td><td width="60%">'+_.escape((val.values).toString())+'</td></tr>')
                     });
                     if($data.length > 0){
                         that.$el.find(that.ui.conditionData).html($data);

security-admin/src/main/webapp/scripts/views/reports/OperationDiffDetail.js

@@ -243,9 +243,9 @@ define(function(require){
 			this.collection.each(function(m){
 				if(m.get('attributeName') == 'Group Name'){
 					if(m.get('action') == 'create' || m.get('action') == 'update')
-						that.newGroupList.push(m.get('parentObjectName'));
+						that.newGroupList.push(_.escape(m.get('parentObjectName')));
 					if(m.get('action') == 'delete' || m.get('action') == 'update')
-						that.previousGroupList.push(m.get('parentObjectName'));
+						that.previousGroupList.push(_.escape(m.get('parentObjectName')));
 					modelArr.push(m);
 				} else if(m.get('attributeName') == 'User Role'){
 					var newRole;

security-admin/src/main/webapp/scripts/views/reports/UserAccessLayout.js

@@ -384,9 +384,9 @@ define(function(require) {'use strict';
 							var access_str = '';
 							_.each(model.get('accesses'),function(access,index){
 								if(index < 4){
-                                                                        access_str += '<span class="badge badge-info cellWidth-1 float-left-margin-2" access-policy-id="'+model.cid+'" style="">' + access.type+'</span>'  + " ";
+                                                                        access_str += '<span class="badge badge-info cellWidth-1 float-left-margin-2" access-policy-id="'+model.cid+'" style="">' + _.escape(access.type)+'</span>'  + " ";
 								} else {
-                                                                        access_str += '<span class="badge badge-info cellWidth-1 float-left-margin-2" access-policy-id="'+model.cid+'" style="display:none">' + access.type+'</span>'+ " ";
+                                                                        access_str += '<span class="badge badge-info cellWidth-1 float-left-margin-2" access-policy-id="'+model.cid+'" style="display:none">' + _.escape(access.type)+'</span>'+ " ";
 								}
 							});
 							if(model.get('accesses').length > 4) {
@@ -566,7 +566,7 @@ define(function(require) {'use strict';
 						fromRaw: function (rawValue, model) {
 							var labels ="";
 							if(!_.isUndefined(rawValue) && rawValue.length != 0){
-								return '<span class="badge badge-dark" style="float:inherit;">'+rawValue+'</span>'
+								return '<span class="badge badge-dark" style="float:inherit;">'+_.escape(rawValue)+'</span>'
 							}else{
 								return '<span style="float:inherit;">'+"--"+'</span>';
 							}

security-admin/src/main/webapp/scripts/views/service/AuditFilterConfig.js

@@ -184,7 +184,7 @@ define(function(require) {
                         if(!_.isUndefined(id)){
                             var obj = _.findWhere(that.rangerServiceDefModel.attributes.accessTypes,{'name' : id});
                             permTypeArr.push({permType : obj.value});
-                            return "<span class='badge badge-info'>" + obj.label + "</span>";
+                            return "<span class='badge badge-info'>" + _.escape(obj.label) + "</span>";
                         }
                     });
                     that.model.set('accessTypes', values);
@@ -269,7 +269,7 @@ define(function(require) {
                         if(!_.isUndefined(id)){
                             var obj = _.findWhere(srcData,{'value' : id});
                             permTypeArr.push({permType : obj.value});
-                            return "<span class='badge badge-info'>" + id.substr(0,id.indexOf(":")).toUpperCase() + "</span>";
+                            return "<span class='badge badge-info'>" + _.escape(id.substr(0,id.indexOf(":"))).toUpperCase() + "</span>";
                         }
                     });
                     // Save form data to model
@@ -391,7 +391,7 @@ define(function(require) {
                         var isRecursive = key.isRecursive ? XAEnums.RecursiveStatus.STATUS_RECURSIVE.label : XAEnums.RecursiveStatus.STATUS_NONRECURSIVE.label;
                         $toggleBtn += '<span class="badge badge-dark pull-right">'+isRecursive+'</span>'
                     }
-                    $dataResources += '<div class="resourcesFilter"><div><b>' + value + '</b>:' + key.values.join(', ') +'</div>' + $toggleBtn +'</div>'
+                    $dataResources += '<div class="resourcesFilter"><div><b>' + value + '</b>:' + _.escape(key.values.join(', ')) +'</div>' + $toggleBtn +'</div>'
                 })
             $dataResources += '</div>'
             this.$el.find('.js-formInput').html($dataResources);

security-admin/src/main/webapp/scripts/views/users/UserTableLayout.js

@@ -631,7 +631,7 @@ define(function(require){
                     sortable : false,
                     formatter : _.extend({}, Backgrid.CellFormatter.prototype, {
                         fromRaw : function (rawValue,model) {
-                            return ('<div align="center"><button class="userViewicon" title = "View Users" data-js="showUserList" data-name="' + model.get('name')
+                            return ('<div align="center"><button class="userViewicon" title = "View Users" data-js="showUserList" data-name="' + _.escape(model.get('name'))
                                 + '" data-id="' + model.id + '"<font color="black"><i class="fa-fw fa fa-group"> </i></font></button></div>');
                         }
                     }),