Skip to content

Commit

Permalink
[ui] Restrict CodeLocationSource hostnames (dagster-io#27364)
Browse files Browse the repository at this point in the history 
## Summary & Motivation

Try to resolve:

- https://github.com/dagster-io/dagster/security/code-scanning/18
- https://github.com/dagster-io/dagster/security/code-scanning/19

Within `CodeLocationSource`, we currently check whether `github.com` or
`gitlab.com` are included in the hostname at all. This only affects how
we render the outbound link or button, but even so, we should be more
restrictive about this.

## How I Tested These Changes

`yarn jest CodeLocationSource`
  • Loading branch information
@hellendag @LoHertel
hellendag authored and LoHertel committed Feb 11, 2025
1 parent 330999f commit 1918c94
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 3 deletions.
8 changes: 5 additions & 3 deletions js_modules/dagster-ui/packages/ui-core/src/workspace/CodeLocationSource.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,9 @@ type RepoURLType =
| {type: 'gitlab-url'; url: URL}
| {type: 'unknown-url'; url: URL};

const GITHUB_HOSTNAMES = new Set(['github.com', 'www.github.com']);
const GITLAB_HOSTNAMES = new Set(['gitlab.com', 'www.gitlab.com']);

export const extractRepoURL = (metadata: Metadata[]): RepoURLType => {
const metadataWithURL = metadata.find(({key}) => key === 'url');
if (!metadataWithURL) {
Expand All @@ -65,13 +68,12 @@ export const extractRepoURL = (metadata: Metadata[]): RepoURLType => {
return {type: 'non-url', value};
}

const isGithub = url.hostname.includes('github.com');
const isGitlab = url.hostname.includes('gitlab.com');

const isGithub = GITHUB_HOSTNAMES.has(url.hostname);
if (isGithub) {
return {type: 'github-url', url};
}

const isGitlab = GITLAB_HOSTNAMES.has(url.hostname);
if (isGitlab) {
return {type: 'gitlab-url', url};
}
Expand Down
11 changes: 11 additions & 0 deletions js_modules/dagster-ui/packages/ui-core/src/workspace/__tests__/CodeLocationSource.test.tsx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,4 +52,15 @@ describe('CodeLocationSource', () => {
expect(link.getAttribute('href')).toBe(cleanedUrl);
expect(link.textContent).toBe(cleanedUrl);
});

it('is treated as a plain link if a sneaky GitHub-like hostname is provided', () => {
const url = 'https://not-really-github.com/gh-namespace/foo-project/abcd1234';
const metadata = [{key: 'url', value: url}];

render(<CodeLocationSource metadata={metadata} />);

const link = screen.getByRole('link', {name: /not-really-github/});
expect(link).toBeVisible();
expect(link).toHaveAttribute('href', url);
});
});

0 comments on commit 1918c94

Please sign in to comment.