Added data sanitization to queryId and nodeId, along with encodeURIComponent to queryId & nodeId.

sh-shamsan · Mohammed Alhazmi · yingsu00 · commit 77b64b0e91ef · 2025-02-11T16:55:34.000-08:00
Co-authored-by: Mohammed Alhazmi &lt;alhazmi@ibm.com&gt;
diff --git a/presto-ui/src/components/QueryDetail.jsx b/presto-ui/src/components/QueryDetail.jsx
@@ -912,10 +912,20 @@ export class QueryDetail extends React.Component {
         }
     }
 
+    static getQueryURL(id) {
+            if (!id || typeof id !== 'string' || id.length === 0) {
+                return "/v1/query/undefined";
+            }
+            const sanitizedId = id.replace(/[^a-z0-9_]/gi, '');
+            return sanitizedId.length > 0 ? `/v1/query/${encodeURIComponent(sanitizedId)}` : "/v1/query/undefined";
+         }
+
+
     refreshLoop() {
         clearTimeout(this.timeoutId); // to stop multiple series of refreshLoop from going on simultaneously
-        const queryId = getFirstParameter(window.location.search);
-        $.get('/v1/query/' + queryId, function (query) {
+        const queryId =  getFirstParameter(window.location.search);
+
+        $.get(QueryDetail.getQueryURL(queryId), function (query) {
             let lastSnapshotStages = this.state.lastSnapshotStage;
             if (this.state.stageRefresh) {
                 lastSnapshotStages = query.outputStage;
diff --git a/presto-ui/src/components/StageDetail.jsx b/presto-ui/src/components/StageDetail.jsx
@@ -506,12 +506,18 @@ export class StageDetail extends React.Component {
             this.timeoutId = setTimeout(this.refreshLoop, 1000);
         }
     }
+     static getQueryURL(id) {
+        if (!id || typeof id !== 'string' || id.length === 0) {
+            return "/v1/query/undefined";
+        }
+        const sanitizedId = id.replace(/[^a-z0-9_]/gi, '');
+        return sanitizedId.length > 0 ? `/v1/query/${encodeURIComponent(sanitizedId)}` : "/v1/query/undefined";
+     }
 
     refreshLoop() {
         clearTimeout(this.timeoutId); // to stop multiple series of refreshLoop from going on simultaneously
         const queryString = getFirstParameter(window.location.search).split('.');
-        const queryId = queryString.length > 0 ? queryString[0] : "undefined";
-
+        const rawQueryId = queryString.length > 0 ? queryString[0] : "";
         let selectedStageId = this.state.selectedStageId;
         if (selectedStageId === null) {
             selectedStageId = 0;
@@ -520,7 +526,8 @@ export class StageDetail extends React.Component {
             }
         }
 
-        $.get('/v1/query/' + queryId, query => {
+       
+        $.get(StageDetail.getQueryURL(rawQueryId), query => {
             this.setState({
                 initialized: true,
                 ended: query.finalQueryInfo,
diff --git a/presto-ui/src/components/WorkerStatus.jsx b/presto-ui/src/components/WorkerStatus.jsx
@@ -50,11 +50,18 @@ export class WorkerStatus extends React.Component {
             this.timeoutId = setTimeout(this.refreshLoop, 1000);
         }
     }
+    static getStatusQuery(id){
+        // Node ID does not have a common pattern
+        if (id.length === 0) {
+            return "/v1/worker/undefined/status";
+        }
+        return `/v1/worker/${encodeURIComponent(id)}/status`;
+    }
 
     refreshLoop() {
         clearTimeout(this.timeoutId); // to stop multiple series of refreshLoop from going on simultaneously
-        const nodeId = getFirstParameter(window.location.search);
-        $.get('/v1/worker/' + nodeId + '/status', function (serverInfo) {
+
+        $.get(WorkerStatus.getStatusQuery(getFirstParameter(window.location.search)), function (serverInfo) {
             this.setState({
                 serverInfo: serverInfo,
                 initialized: true,
diff --git a/presto-ui/src/components/WorkerThreadList.jsx b/presto-ui/src/components/WorkerThreadList.jsx
@@ -40,10 +40,15 @@ export class WorkerThreadList extends React.Component {
             selectedThreadState: ALL_THREAD_STATE,
         };
     }
-
+    static getRequestQuery(id){
+            // Node ID does not have a common pattern
+        if (id.length === 0) {
+            return "/v1/worker/undefined/thread";
+        }
+        return `/v1/worker/${encodeURIComponent(id)}/thread`;
+        }
     captureSnapshot() {
-        const nodeId = getFirstParameter(window.location.search);
-        $.get('/v1/worker/' + nodeId + '/thread', function (threads) {
+        $.get(WorkerThreadList.getRequestQuery(getFirstParameter(window.location.search)), function (threads) {
             this.setState({
                 threads: WorkerThreadList.processThreads(threads),
                 snapshotTime: new Date(),
