Uploaded image for project: 'Hawkular'
  1. Hawkular
  2. HAWKULAR-553

Url input is not validated (enough)

    XMLWordPrintable

    Details

      Description

      The url input is not validated. It is possible to enter e.g. 'javascript:alert(1)' as url to be monitored.

      There seems to be some validation in the sense that an error text is shown and the submit button is disabled, but just pressing return submits the entered data anyway.

      Consequence is that:

      • url list does not show
      • any subsequent try to add a new url does (only) partially work.
      • inventory entry is only partially populated
      Response{protocol=http/1.1, code=200, message=OK, url=http://172.31.7.7:8080/hawkular/inventory/resourceTypes/URL/resources}
      [ {
        "path" : "/e;test/r;d41d8cd98f00b204e9800998ecf8427e",
        "type" : {
          "path" : "/rt;URL",
          "tenantId" : "28026b36-8fe4-4332-84c8-524e173a68bf",
          "id" : "URL"
        },
        "environmentId" : "test",
        "tenantId" : "28026b36-8fe4-4332-84c8-524e173a68bf",
        "id" : "d41d8cd98f00b204e9800998ecf8427e"
      }, {
        "path" : "/e;test/r;536cc3ede5769b60a49774425aedba24",
        "type" : {
          "path" : "/rt;URL",
          "tenantId" : "28026b36-8fe4-4332-84c8-524e173a68bf",
          "id" : "URL"
        },
        "properties" : {
          "trait-collected-on" : 1439543000065,
          "trait-powered-by" : "Apache",
          "trait-remote-address" : "212.86.200.189",
          "url" : "http://bsd.de"
        },
        "environmentId" : "test",
        "tenantId" : "28026b36-8fe4-4332-84c8-524e173a68bf",
        "id" : "536cc3ede5769b60a49774425aedba24"
      }, {
        "path" : "/e;test/r;62510c1f7c55020b4855f7564ef37586",
        "type" : {
          "path" : "/rt;URL",
          "tenantId" : "28026b36-8fe4-4332-84c8-524e173a68bf",
          "id" : "URL"
        },
        "properties" : {
          "trait-collected-on" : 1439543000378,
          "trait-powered-by" : "GitHub.com",
          "trait-remote-address" : "185.31.19.133",
          "url" : "http://hawkular.org"
        },
        "environmentId" : "test",
        "tenantId" : "28026b36-8fe4-4332-84c8-524e173a68bf",
        "id" : "62510c1f7c55020b4855f7564ef37586"
      } ]
      

      As a followoup, Pinger can not deal with that bogus entry and throws Exceptions:

      10:58:20,233 ERROR [org.jboss.as.ejb3.invocation] (EJB default - 8) WFLYEJB0034: EJB Invocation failed on component Pinger for method public java.util.concurrent.Future org.hawkular.component.pinger.Pinger.ping(org.hawkular.component.pinger.PingDestination): javax.ejb.EJBException: java.lang.IllegalStateException: Target host is null
      

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                vrockai Viliam Rockai
                Reporter:
                pilhuhn Heiko Rupp
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: