Fix XSS warnings (open-metadata#11620)

Author: pmbrull

.snyk

@@ -6,3 +6,7 @@ exclude:
   global:
     - ingestion/examples/**
     - ingestion/tests/**
+    - openmetadata-ui/src/main/resources/ui/cypress/**
+    - openmetadata-ui/src/main/resources/ui/src/pages/service/mocks/**
+    - openmetadata-ui/src/main/resources/ui/src/components/common/TestConnection/TestConnection.mock.ts
+    - openmetadata-service/src/test/**

openmetadata-airflow-apis/openmetadata_managed_apis/api/routes/deploy.py

@@ -61,7 +61,7 @@ def deploy_dag() -> Response:
                     error=f"Did not receive any JSON request to deploy",
                 )
 
-            ingestion_pipeline = IngestionPipeline(**json_request)
+            ingestion_pipeline = IngestionPipeline.parse_obj(json_request)
 
             deployer = DagDeployer(ingestion_pipeline)
             response = deployer.deploy()

openmetadata-airflow-apis/openmetadata_managed_apis/api/routes/ip.py

@@ -15,7 +15,7 @@
 from typing import Callable, Optional
 
 import requests
-from flask import Blueprint
+from flask import Blueprint, escape
 from openmetadata_managed_apis.api.response import ApiResponse
 from openmetadata_managed_apis.utils.logger import routes_logger
 from requests.exceptions import ConnectionError
@@ -70,7 +70,7 @@ def get_host_ip():
             for ip_service in IP_SERVICES:
                 host_ip = _get_ip_safely(ip_service)
                 if host_ip:
-                    return ApiResponse.success({"ip": host_ip})
+                    return ApiResponse.success({"ip": escape(host_ip)})
 
             # If we cannot fetch the IP, still return a 200 but without informing the IP.
             return ApiResponse.success({"ip": "unknown"})

openmetadata-airflow-apis/openmetadata_managed_apis/api/routes/run_automation.py

@@ -14,7 +14,7 @@
 import traceback
 from typing import Callable
 
-from flask import Blueprint, Response, request
+from flask import Blueprint, Response, escape, request
 from openmetadata_managed_apis.api.response import ApiResponse
 from openmetadata_managed_apis.utils.logger import routes_logger
 from openmetadata_managed_apis.workflows.ingestion.credentials_builder import (
@@ -73,7 +73,7 @@ def run_automation() -> Response:
 
             return ApiResponse.success(
                 {
-                    "message": f"Workflow [{automation_workflow.name}] has been triggered."
+                    "message": f"Workflow [{escape(automation_workflow.name)}] has been triggered."
                 }
             )
 

openmetadata-airflow-apis/openmetadata_managed_apis/operations/deploy.py

@@ -15,8 +15,8 @@
 from typing import Dict
 
 from airflow import DAG, settings
-from airflow.jobs.scheduler_job import SchedulerJob
 from airflow.models import DagModel
+from flask import escape
 from jinja2 import Template
 from openmetadata_managed_apis.api.config import (
     AIRFLOW_DAGS_FOLDER,
@@ -94,7 +94,7 @@ def store_and_validate_dag_file(self, dag_runner_config: Dict[str, str]) -> str:
 
         # Open the template and render
         raw_template = pkgutil.get_data(PLUGIN_NAME, "resources/dag_runner.j2").decode()
-        template = Template(raw_template)
+        template = Template(raw_template, autoescape=True)
 
         rendered_dag = template.render(dag_runner_config)
 
@@ -151,7 +151,7 @@ def refresh_session_dag(self, dag_py_file: str):
         scan_dags_job_background()
 
         return ApiResponse.success(
-            {"message": f"Workflow [{self.dag_id}] has been created"}
+            {"message": f"Workflow [{escape(self.dag_id)}] has been created"}
         )
 
     def deploy(self):