From 04362c8d4c7d55ecb0c99223264f7c1479f2c3f4 Mon Sep 17 00:00:00 2001
From: Sumi Mathew <sumimathew90@gmail.com>
Date: Tue, 12 Nov 2024 17:10:15 +0530
Subject: [PATCH] Fix for Cross Site Scripting Rule

---
 pom.xml                                                     | 6 ++++++
 presto-accumulo/pom.xml                                     | 1 -
 presto-bigquery/pom.xml                                     | 5 ++++-
 presto-hive-function-namespace/pom.xml                      | 6 ++++++
 presto-main/pom.xml                                         | 5 +++++
 .../facebook/presto/server/AsyncPageTransportServlet.java   | 3 +++
 presto-parquet/pom.xml                                      | 1 -
 presto-pinot-toolkit/pom.xml                                | 4 ++++
 8 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/pom.xml b/pom.xml
index a2dc8d37c01e4..364ca0b1bad3c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1411,6 +1411,12 @@
                 <version>3.6.1</version>
             </dependency>
 
+            <dependency>
+                <groupId>org.apache.commons</groupId>
+                <artifactId>commons-lang3</artifactId>
+                <version>3.14.0</version>
+            </dependency>
+
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-text</artifactId>
diff --git a/presto-accumulo/pom.xml b/presto-accumulo/pom.xml
index 86a7e17f8062e..731a77f383a5b 100644
--- a/presto-accumulo/pom.xml
+++ b/presto-accumulo/pom.xml
@@ -232,7 +232,6 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
-            <version>3.4</version>
         </dependency>
 
         <dependency>
diff --git a/presto-bigquery/pom.xml b/presto-bigquery/pom.xml
index 2af6770914fe6..6cb5a0bfb9f11 100644
--- a/presto-bigquery/pom.xml
+++ b/presto-bigquery/pom.xml
@@ -47,7 +47,6 @@
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-lang3</artifactId>
-                <version>3.11</version>
             </dependency>
 
             <dependency>
@@ -206,6 +205,10 @@
                     <groupId>io.grpc</groupId>
                     <artifactId>grpc-protobuf-lite</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-lang3</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
 
diff --git a/presto-hive-function-namespace/pom.xml b/presto-hive-function-namespace/pom.xml
index e400e547ef0d0..7c7b135f66335 100644
--- a/presto-hive-function-namespace/pom.xml
+++ b/presto-hive-function-namespace/pom.xml
@@ -36,6 +36,12 @@
         <dependency>
             <groupId>org.apache.hive</groupId>
             <artifactId>hive-llap-common</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-lang3</artifactId>
+                </exclusion>
+            </exclusions>
         </dependency>
 
         <dependency>
diff --git a/presto-main/pom.xml b/presto-main/pom.xml
index f6ab94cfd3330..f916928f8f171 100644
--- a/presto-main/pom.xml
+++ b/presto-main/pom.xml
@@ -36,6 +36,11 @@
             <artifactId>commons-math3</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+        </dependency>
+
         <dependency>
             <groupId>com.facebook.presto</groupId>
             <artifactId>presto-spi</artifactId>
diff --git a/presto-main/src/main/java/com/facebook/presto/server/AsyncPageTransportServlet.java b/presto-main/src/main/java/com/facebook/presto/server/AsyncPageTransportServlet.java
index 7619c3bb6f5dd..83eb73d3f15ef 100644
--- a/presto-main/src/main/java/com/facebook/presto/server/AsyncPageTransportServlet.java
+++ b/presto-main/src/main/java/com/facebook/presto/server/AsyncPageTransportServlet.java
@@ -29,6 +29,7 @@
 import com.google.common.util.concurrent.ListenableFuture;
 import io.airlift.units.DataSize;
 import io.airlift.units.Duration;
+import org.apache.commons.lang3.StringEscapeUtils;
 import org.weakref.jmx.Managed;
 import org.weakref.jmx.Nested;
 
@@ -116,6 +117,7 @@ protected void doGet(HttpServletRequest request, HttpServletResponse response)
     protected void reportFailure(HttpServletResponse response, String message)
             throws IOException
     {
+        message = StringEscapeUtils.escapeHtml4(message);
         response.sendError(SC_BAD_REQUEST, message);
     }
 
@@ -181,6 +183,7 @@ public void onError(AsyncEvent event)
             {
                 String errorMessage = format("Server error to process task result request %s : %s", requestURI, event.getThrowable().getMessage());
                 log.error(event.getThrowable(), errorMessage);
+                errorMessage = StringEscapeUtils.escapeHtml4(errorMessage);
                 response.sendError(SC_INTERNAL_SERVER_ERROR, errorMessage);
             }
 
diff --git a/presto-parquet/pom.xml b/presto-parquet/pom.xml
index 0dd58524b084f..a3e55f4270eda 100644
--- a/presto-parquet/pom.xml
+++ b/presto-parquet/pom.xml
@@ -121,7 +121,6 @@
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-lang3</artifactId>
-            <version>3.4</version>
             <scope>test</scope>
         </dependency>
 
diff --git a/presto-pinot-toolkit/pom.xml b/presto-pinot-toolkit/pom.xml
index 3e94aaaedaec9..580c3fbd94ecf 100644
--- a/presto-pinot-toolkit/pom.xml
+++ b/presto-pinot-toolkit/pom.xml
@@ -314,6 +314,10 @@
                     <groupId>com.fasterxml.jackson.dataformat</groupId>
                     <artifactId>jackson-dataformat-yaml</artifactId>
                 </exclusion>
+                <exclusion>
+                    <groupId>org.apache.commons</groupId>
+                    <artifactId>commons-lang3</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>