Skip to content

[SPARK-54624][UI] Ensure user name in historypage get escaped #53364

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
sarutak wants to merge 1 commit into from
Closed

[SPARK-54624][UI] Ensure user name in historypage get escaped #53364

sarutak wants to merge 1 commit into from

Conversation

@sarutak
Copy link
Member

@sarutak sarutak commented Dec 6, 2025

What changes were proposed in this pull request?

This PR aims to escape user name displayed in historypage.

Why are the changes needed?

Similar to the issue resolved in #52851, user name should also get escaped because arbitrary user name can be set through the env var SPARK_USER.

Does this PR introduce any user-facing change?

No.

How was this patch tested?

User name displayed in historypage is escaped even if the name is like <script>alert('XSS')</script>

Was this patch authored or co-authored using generative AI tooling?

No.

@github-actions github-actions bot added the WEB UI label Dec 6, 2025
dongjoon-hyun
dongjoon-hyun approved these changes Dec 6, 2025
View reviewed changes
Copy link
Member

@dongjoon-hyun dongjoon-hyun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, LGTM for Spark History Server.

Do we need this in the live UI too, @sarutak ?

@dongjoon-hyun
Copy link
Member

dongjoon-hyun commented Dec 6, 2025

cc @yaooqinn

@sarutak
Copy link
Member Author

sarutak commented Dec 6, 2025
edited
Loading

@dongjoon-hyun

Do we need this in the live UI too, @sarutak ?

I think we need no change for the live UI because user name in it is escaped in scala-xml side.

uname-liveui

@dongjoon-hyun
Copy link
Member

dongjoon-hyun commented Dec 6, 2025

Thank you, @sarutak and @yaooqinn .

Merged to master/4.1 for Apache Spark 4.1.0.

dongjoon-hyun pushed a commit that referenced this pull request Dec 6, 2025
@sarutak @dongjoon-hyun
[SPARK-54624][UI] Ensure user name in historypage get escaped
18dbd67 
### What changes were proposed in this pull request?
This PR aims to escape user name displayed in historypage.

### Why are the changes needed?
Similar to the issue resolved in #52851, user name should also get escaped because arbitrary user name can be set through the env var `SPARK_USER`.

### Does this PR introduce _any_ user-facing change?
No.

### How was this patch tested?
User name displayed in historypage is escaped even if the name is like `<script>alert('XSS')</script>`

### Was this patch authored or co-authored using generative AI tooling?
No.

Closes #53364 from sarutak/fix-username-xss.

Authored-by: Kousuke Saruta <[email protected]>
Signed-off-by: Dongjoon Hyun <[email protected]>
(cherry picked from commit 9f3c6a3)
Signed-off-by: Dongjoon Hyun <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yaooqinn yaooqinn yaooqinn approved these changes

@dongjoon-hyun dongjoon-hyun dongjoon-hyun approved these changes

Assignees

No one assigned

Labels

WEB UI

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sarutak @dongjoon-hyun @yaooqinn