Skip to content

Commit 98b1dab

Browse files
shrprasasenthh
shrprasa
authored and
senthh
committed
ODP-2169|[SPARK-39740][UI] Upgrade vis timeline to 7.7.2 to fix CVE-2020-28487
### What changes were proposed in this pull request? Upgrade vis timeline to 7.7.2 Have to add xss option with whitelisting to make the timeline work after the xss protection was added in vis-timeline. (Refer to visjs/vis-timeline#1010) ### Why are the changes needed? To remediate CVE-2020-28487 GHSA-9mrv-456v-pf22 ### Does this PR introduce _any_ user-facing change? No ### How was this patch tested? Manually by running spark-shell and checking History Server UI. Timeline rendered successfully and no change in style. Even after following operation: (1 to 1000).foreach(_ => sc.parallelize(1 to 10).collect) UI loaded in 3 seconds faster than it loaded with 4.21. Closes apache#41613 from shrprasa/upgrade_vis. Authored-by: Shrikant Prasad <[email protected]> Signed-off-by: Sean Owen <[email protected]> (cherry picked from commit a8ea35f)
1 parent 4873b6f commit 98b1dab

File tree

8 files changed

+100
-62
lines changed

8 files changed

+100
-62
lines changed

core/src/main/resources/org/apache/spark/ui/static/timeline-view.js

Lines changed: 27 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -33,14 +33,18 @@ function drawApplicationTimeline(groupArray, eventObjArray, startTime, offset) {
3333
locale: "en",
3434
moment: function (date) {
3535
return vis.moment(date).utcOffset(offset);
36+
},
37+
xss: {
38+
disabled: false,
39+
filterOptions: {
40+
whiteList: { svg: ['width', 'height', 'class'], div: ['class', 'style', 'data-toggle', 'data-placement',
41+
'data-html', 'data-container', 'data-title', 'data-original-title', 'title'],
42+
text: ['x', 'y'], rect: ['x', 'y', 'class', 'width', 'height', 'rx', 'ry'],},
43+
},
3644
}
3745
};
3846

39-
var applicationTimeline = new vis.Timeline(container);
40-
applicationTimeline.setOptions(options);
41-
applicationTimeline.setGroups(groups);
42-
applicationTimeline.setItems(items);
43-
47+
var applicationTimeline = new vis.Timeline(container, items, groups, options);
4448
setupZoomable("#application-timeline-zoom-lock", applicationTimeline);
4549
setupExecutorEventAction();
4650

@@ -121,13 +125,18 @@ function drawJobTimeline(groupArray, eventObjArray, startTime, offset) {
121125
locale: "en",
122126
moment: function (date) {
123127
return vis.moment(date).utcOffset(offset);
128+
},
129+
xss: {
130+
disabled: false,
131+
filterOptions: {
132+
whiteList: { svg: ['width', 'height', 'class'], div: ['class', 'style', 'data-toggle', 'data-placement',
133+
'data-html', 'data-container', 'data-title', 'data-original-title', 'title'],
134+
text: ['x', 'y'], rect: ['x', 'y', 'class', 'width', 'height', 'rx', 'ry'],},
135+
},
124136
}
125137
};
126138

127-
var jobTimeline = new vis.Timeline(container);
128-
jobTimeline.setOptions(options);
129-
jobTimeline.setGroups(groups);
130-
jobTimeline.setItems(items);
139+
var jobTimeline = new vis.Timeline(container, items, groups, options);
131140

132141
setupZoomable("#job-timeline-zoom-lock", jobTimeline);
133142
setupExecutorEventAction();
@@ -214,13 +223,18 @@ function drawTaskAssignmentTimeline(groupArray, eventObjArray, minLaunchTime, ma
214223
locale: "en",
215224
moment: function (date) {
216225
return vis.moment(date).utcOffset(offset);
226+
},
227+
xss: {
228+
disabled: false,
229+
filterOptions: {
230+
whiteList: { svg: ['width', 'height', 'class'], div: ['class', 'style', 'data-toggle', 'data-placement',
231+
'data-html', 'data-container', 'data-title', 'data-original-title', 'title'],
232+
text: ['x', 'y'], rect: ['x', 'y', 'class', 'width', 'height', 'rx', 'ry'],},
233+
},
217234
}
218235
};
219236

220-
var taskTimeline = new vis.Timeline(container);
221-
taskTimeline.setOptions(options);
222-
taskTimeline.setGroups(groups);
223-
taskTimeline.setItems(items);
237+
var taskTimeline = new vis.Timeline(container, items, groups, options);
224238

225239
// If a user zooms while a tooltip is displayed, the user may zoom such that the cursor is no
226240
// longer over the task that the tooltip corresponds to. So, when a user zooms, we should hide

core/src/main/resources/org/apache/spark/ui/static/vis-timeline-graph2d.min.css

Lines changed: 2 additions & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

core/src/main/resources/org/apache/spark/ui/static/vis-timeline-graph2d.min.css.map

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

core/src/main/resources/org/apache/spark/ui/static/vis-timeline-graph2d.min.js

Lines changed: 37 additions & 20 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

core/src/main/resources/org/apache/spark/ui/static/vis-timeline-graph2d.min.js.map

Lines changed: 1 addition & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dev/.rat-excludes

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,9 @@ dagre-d3.min.js
3232
graphlib-dot.min.js
3333
sorttable.js
3434
vis-timeline-graph2d.min.js
35+
vis-timeline-graph2d.min.js.map
3536
vis-timeline-graph2d.min.css
37+
vis-timeline-graph2d.min.css.map
3638
dataTables.bootstrap4.1.10.25.min.css
3739
dataTables.bootstrap4.1.10.25.min.js
3840
dataTables.rowsGroup.js

licenses-binary/LICENSE-vis-timeline.txt

Lines changed: 15 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,23 @@
1-
vis.js
2-
https://github.com/almende/vis
1+
vis-timeline
2+
https://visjs.github.io/vis-timeline/
33

4-
A dynamic, browser-based visualization library.
4+
Create a fully customizable, interactive timeline with items and ranges.
55

6-
@version 4.20.1-SNAPSHOT
7-
@date 2017-10-12
6+
@version 7.7.2
7+
@date 2023-03-22T11:14:31.874Z
88

9-
@license
10-
Copyright (C) 2011-2017 Almende B.V, http://almende.com
9+
@copyright (c) 2011-2017 Almende B.V, http://almende.com
10+
@copyright (c) 2017-2019 visjs contributors, https://github.com/visjs
1111

12-
Vis.js is dual licensed under both
12+
@license
13+
vis.js is dual licensed under both
1314

14-
* The Apache 2.0 License
15-
http://www.apache.org/licenses/LICENSE-2.0
15+
1. The Apache 2.0 License
16+
http://www.apache.org/licenses/LICENSE-2.0
1617

17-
and
18+
and
1819

19-
* The MIT License
20-
http://opensource.org/licenses/MIT
20+
2. The MIT License
21+
http://opensource.org/licenses/MIT
2122

22-
Vis.js may be distributed under either license.
23+
vis.js may be distributed under either license.

licenses/LICENSE-vis-timeline.txt

Lines changed: 15 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,22 +1,23 @@
1-
vis.js
2-
https://github.com/almende/vis
1+
vis-timeline
2+
https://visjs.github.io/vis-timeline/
33

4-
A dynamic, browser-based visualization library.
4+
Create a fully customizable, interactive timeline with items and ranges.
55

6-
@version 4.20.1-SNAPSHOT
7-
@date 2017-10-12
6+
@version 7.7.2
7+
@date 2023-03-22T11:14:31.874Z
88

9-
@license
10-
Copyright (C) 2011-2017 Almende B.V, http://almende.com
9+
@copyright (c) 2011-2017 Almende B.V, http://almende.com
10+
@copyright (c) 2017-2019 visjs contributors, https://github.com/visjs
1111

12-
Vis.js is dual licensed under both
12+
@license
13+
vis.js is dual licensed under both
1314

14-
* The Apache 2.0 License
15-
http://www.apache.org/licenses/LICENSE-2.0
15+
1. The Apache 2.0 License
16+
http://www.apache.org/licenses/LICENSE-2.0
1617

17-
and
18+
and
1819

19-
* The MIT License
20-
http://opensource.org/licenses/MIT
20+
2. The MIT License
21+
http://opensource.org/licenses/MIT
2122

22-
Vis.js may be distributed under either license.
23+
vis.js may be distributed under either license.

0 commit comments

Comments
 (0)