Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

orchestrator: prevent XSS attack via 'orchestrator-msg' params #7526

Merged
merged 1 commit into from
Feb 23, 2021

Conversation

shlomi-noach
Copy link
Contributor

@shlomi-noach shlomi-noach commented Feb 21, 2021

Reported for both vitess and orchestrator, orchestrator allows a XSS attack via orchestrator-msg param. This PR sanitizes orchestrator-msg param.

related orchestrator PR: openark/orchestrator#1313

Checklist

  • Should this PR be backported?
  • Tests were added or are not required
  • Documentation was added or is not required

Impacted Areas in Vitess

Components that this PR will affect:

  • Query Serving
  • VReplication
  • Cluster Management
  • Build/CI
  • VTAdmin

Signed-off-by: Shlomi Noach <2607934+shlomi-noach@users.noreply.github.com>
Copy link
Member

@deepthi deepthi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@deepthi deepthi requested review from doeg and rohit-nayak-ps and removed request for sougou February 22, 2021 20:18
@shlomi-noach shlomi-noach merged commit b76bfcf into vitessio:master Feb 23, 2021
@shlomi-noach shlomi-noach deleted the orcestrator-xss-msg branch February 23, 2021 04:16
@askdba askdba added this to the v10.0 milestone Feb 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants