AMBARI-25283: Ambari UI evaluates Javascript embedded in user input w… (#3466)

ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/clusters/ClusterInformationCtrl.js

@@ -27,6 +27,7 @@ function($scope, $http, $location, Cluster, $routeParams, $translate, $rootScope
     clusterName: null
   };
   $scope.isClusterNameEdited = false;
+  $scope.nameValidationPattern = /^\s*\w*\s*$/;
 
   $scope.$watch(function() {
     return $rootScope.cluster;

ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/remoteClusters/RemoteClustersCreateCtrl.js

@@ -24,6 +24,7 @@ angular.module('ambariAdminConsole')
   $scope.cluster = {};
 
   $scope.nameValidationPattern = /^\s*\w*\s*$/;
+  $scope.urlValidationPattern = /^(https?|ftp):\/\/(((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:)*@)?(((\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5]))|((([a-z]|\d|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(([a-z]|\d|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])*([a-z]|\d|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])))\.)+(([a-z]|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(([a-z]|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])*([a-z]|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])))\.?)(:\d*)?)(\/((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)+(\/(([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)*)*)?)?(\?((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)|[\uE000-\uF8FF]|\/|\?)*)?(\#((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)|\/|\?)*)?$/i;
 
   $scope.registerRemoteCluster = function () {
     $scope.form.submitted = true;

ambari-admin/src/main/resources/ui/admin-web/app/scripts/controllers/remoteClusters/RemoteClustersEditCtrl.js

@@ -25,6 +25,7 @@ angular.module('ambariAdminConsole')
   $scope.instancesAffected = [];
 
   $scope.nameValidationPattern = /^\s*\w*\s*$/;
+  $scope.urlValidationPattern = /^(https?|ftp):\/\/(((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:)*@)?(((\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5]))|((([a-z]|\d|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(([a-z]|\d|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])*([a-z]|\d|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])))\.)+(([a-z]|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(([a-z]|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])*([a-z]|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])))\.?)(:\d*)?)(\/((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)+(\/(([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)*)*)?)?(\?((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)|[\uE000-\uF8FF]|\/|\?)*)?(\#((([a-z]|\d|-|\.|_|~|[\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF])|(%[\da-f]{2})|[!\$&'\(\)\*\+,;=]|:|@)|\/|\?)*)?$/i;
 
   $scope.openChangePwdDialog = function() {
     var modalInstance = $modal.open({

ambari-admin/src/main/resources/ui/admin-web/app/scripts/i18n.config.js

@@ -226,6 +226,7 @@ angular.module('ambariAdminConsole')
 
     'views.alerts.noSpecialChars': 'Must not contain any special characters.',
     'views.alerts.noSpecialCharsOrSpaces': 'Must not contain any special characters or spaces.',
+    'views.alerts.invalidUrl': 'Must be a valid URL.',
     'views.alerts.instanceExists': 'Instance with this name already exists.',
     'views.alerts.notDefined': 'There are no {{term}} defined for this view.',
     'views.alerts.cannotEditInstance': 'Cannot Edit Static Instances',

ambari-admin/src/main/resources/ui/admin-web/app/views/clusters/clusterInformation.html

@@ -50,6 +50,7 @@
                  name="clusterName"
                  ng-change="toggleSaveButton()"
                  ng-model="edit.clusterName"
+                 ng-pattern="nameValidationPattern"
                  required
                  autofocus
                  ng-maxlength="100"

ambari-admin/src/main/resources/ui/admin-web/app/views/remoteClusters/editRemoteClusterPage.html

@@ -42,8 +42,9 @@
   <div class="form-group" ng-class="{'has-error' : form.user_name.$error.required && form.submitted}">
     <label for="clusterurl" class="col-sm-2 control-label">{{'users.ambariClusterURL' | translate}}*</label>
     <div class="col-sm-10">
-      <input type="text" id="clusterurl" class="form-control" name="cluster_url" placeholder="{{'users.ambariClusterURL' | translate}}" ng-model="cluster.cluster_url" required autocomplete="off">
+      <input type="text" id="clusterurl" class="form-control" ng-pattern="urlValidationPattern" name="cluster_url" placeholder="{{'users.ambariClusterURL' | translate}}" ng-model="cluster.cluster_url" required autocomplete="off">
       <div class="alert alert-danger top-margin" ng-show="form.cluster_url.$error.required && form.submitted"> {{'common.alerts.fieldIsRequired' | translate}}</div>
+      <div class="alert alert-danger top-margin" ng-show="form.cluster_url.$error.pattern && form.submitted"> {{'views.alerts.invalidUrl' | translate}}</div>
     </div>
   </div>
 

ambari-admin/src/main/resources/ui/admin-web/app/views/remoteClusters/remoteClusterPage.html

@@ -34,8 +34,9 @@
   <div class="form-group" ng-class="{'has-error' : form.user_name.$error.required && form.submitted}">
     <label for="clusterurl" class="col-sm-2 control-label">{{'users.ambariClusterURL' | translate}}*</label>
     <div class="col-sm-10">
-      <input type="text" id="clusterurl" class="form-control" name="cluster_url" placeholder="{{'remoteClusters.clusterURLPlaceholder' | translate}}" ng-model="cluster.cluster_url" required autocomplete="off">
+      <input type="text" id="clusterurl" class="form-control" ng-pattern="urlValidationPattern" name="cluster_url" placeholder="{{'remoteClusters.clusterURLPlaceholder' | translate}}" ng-model="cluster.cluster_url" required autocomplete="off">
       <div class="alert alert-danger top-margin" ng-show="form.cluster_url.$error.required && form.submitted"> {{'common.alerts.fieldIsRequired' | translate}}</div>
+      <div class="alert alert-danger top-margin" ng-show="form.cluster_url.$error.pattern && form.submitted"> {{'views.alerts.invalidUrl' | translate}}</div>
     </div>
   </div>
 

ambari-web/app/controllers/wizard/step2_controller.js

@@ -213,7 +213,7 @@ App.WizardStep2Controller = Em.Controller.extend({
     this.get('invalidHostNames').clear();
     this.get('hostNameArr').forEach(function (hostName) {
       if (!validator.isHostname(hostName)) {
-        this.get('invalidHostNames').push(hostName);
+        this.get('invalidHostNames').push(encodeURIComponent(hostName));
         result = false;
       }
     }, this);