Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP Headers server side validation #24379

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

HTTP Headers server side validation #24379

wants to merge 2 commits into from
+11 −6

Conversation

kevintang2022
Copy link
Contributor

@kevintang2022 kevintang2022 commented Jan 16, 2025
edited
Loading

Description

Headers X-Presto-Catalog, X-Presto-Schema, X-Presto-Source accept any form of input string. This change will filter out special characters. This is significant because the user input is rendered as HTML on the admin page panel.

Motivation and Context

Impact

Addresses ticket T131500431

Test Plan

  • Unit tests for HTTP Request session context
  • Manual testing by viewing the displayed text in the admin panel
Screenshot 2025-01-16 at 10 58 05 AM Screenshot 2025-01-16 at 10 59 00 AM

Contributor checklist

  • Please make sure your submission complies with our contributing guide, in particular code style and commit standards.
  • PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
  • Documented new properties (with its default value), SQL syntax, functions, or other functionality.
  • If release notes are required, they follow the release notes guidelines.
  • Adequate tests were added if applicable.
  • CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

General Changes
* ... :pr:`12345`
* ... :pr:`12345`

Hive Connector Changes
* ... :pr:`12345`
* ... :pr:`12345`

If release note is NOT required, use:

== NO RELEASE NOTE ==

@rschlussel
Copy link
Contributor

I think the task was about validating the input, not filtering how it gets displayed. If we are rendering the string in a way that makes it not become executable code, i'm not sure why it matters if there are special characters.

@kevintang2022
Copy link
Contributor Author

I think the task was about validating the input, not filtering how it gets displayed. If we are rendering the string in a way that makes it not become executable code, i'm not sure why it matters if there are special characters.

"Validating the input" . What would this mean? If we receive some headers that have special characters, should we drop the request then?

@rschlussel
Copy link
Contributor

I think the task was about validating the input, not filtering how it gets displayed. If we are rendering the string in a way that makes it not become executable code, i'm not sure why it matters if there are special characters.

"Validating the input" . What would this mean? If we receive some headers that have special characters, should we drop the request then?

I guess so, though i'm not sure we restrict what characters can be used in a catalog name, so not sure any of these are invalid input. Maybe let's hold off on this for now. I'm not sure there's a real security risk here, as long as we handle these properly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kevintang2022 @rschlussel