Use spec-compliant URL parser to parse next URL parameter.
#183521
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
azasypkin
added
chore
Team:Security
|
/ci |
azasypkin
force-pushed
the
issue-xxx-parse-next
branch
from
8234e28
to
2111045
Compare
|
/ci |
azasypkin
force-pushed
the
issue-xxx-parse-next
branch
from
2111045
to
d6ca29f
Compare
azasypkin
force-pushed
the
issue-xxx-parse-next
branch
from
d6ca29f
to
8fea2be
Compare
|
/ci |
azasypkin
commented
May 16, 2024
| // URL (//), or a scheme-relative URL with an empty host (///). Browsers may process such URLs unexpectedly due to | ||
| // backward compatibility reasons (e.g., a browser may treat `///abc.com` as just `abc.com`). For more details, refer | ||
| // to https://url.spec.whatwg.org/#concept-basic-url-parser and https://url.spec.whatwg.org/#url-representation. | ||
| let normalizedURL: URL; |
There was a problem hiding this comment.
note: hopefully, we can get rid of this trickery when/if this is accepted and implemented: whatwg/url#531
Flaky Test Runner Stats🎉 All tests passed! - kibana-flaky-test-suite-runner#6010[✅] x-pack/test/security_functional/login_selector.config.ts: 65/65 tests passed. |
|
Pinging @elastic/kibana-security (Team:Security) |
pgayvallet
approved these changes
May 16, 2024
| // to https://url.spec.whatwg.org/#concept-basic-url-parser and https://url.spec.whatwg.org/#url-representation. | ||
| let normalizedURL: URL; | ||
| try { | ||
| for (const baseURL of ['http://example.org:5601', 'https://example.com']) { |
There was a problem hiding this comment.
QQ: why do we need the one with the port there? isn't https://example.com not enough for normalization?
There was a problem hiding this comment.
Based on what we know today, it's redundant, agreed. The idea was to have two base URLs that differ in all three parts of the origin (protocol, host, and port) just to ensure there is no way to exploit any backward compatibility browser quirk that we're not aware of yet to make the browser treat a relative URL as an absolute one.
jeramysoucy
reviewed
May 16, 2024
Comment on lines
65
to
76
| it('should return `false` if absolute URL contains tabs or new lines', () => { | ||
| for (const char of ['\t', '\n', '\r', '\t\n\r']) { | ||
| for (const url of [ | ||
| `/${char}/${basePath}app/kibana`, | ||
| `/${char}//${basePath}app/kibana`, | ||
| `//${char}/${basePath}app/kibana`, | ||
| `htt${char}ps://example.com${basePath}`, | ||
| `htt${char}p://example.org:5601${basePath}`, | ||
| `file${char}://example.com${basePath}`, | ||
| `htt${char}p://example.org:5601${char}${basePath}`, | ||
| `https:/${char}/example.com${char}${basePath}`, | ||
| ]) { |
There was a problem hiding this comment.
Wouldn't these all return false anyway, even without the special character? Should we have at least one test case that would otherwise return true, if not for the tab/newline?
There was a problem hiding this comment.
I've explained the idea in https://github.com/elastic/kibana/pull/183521/files#r1603774927, but in this specific case (with the base path) you're right - these all seem to return false even with the previous code, which is not what we want. Let me take a look.
Comment on lines
107
to
130
| it('should return `false` if absolute URL contains tabs or new lines', () => { | ||
| for (const char of ['\t', '\n', '\r', '\t\n\r']) { | ||
| for (const url of [ | ||
| `/${char}/app/kibana`, | ||
| `/${char}//app/kibana`, | ||
| `//${char}/app/kibana`, | ||
| `/${char}/example.com`, | ||
| `/${char}//example.com`, | ||
| `//${char}/example.com`, | ||
| `htt${char}ps://example.com`, | ||
| `/${char}/example.org`, | ||
| `/${char}//example.org`, | ||
| `//${char}/example.org`, | ||
| `htt${char}ps://example.org`, | ||
| `/${char}/example.org:5601`, | ||
| `/${char}//example.org:5601`, | ||
| `//${char}/example.org:5601`, | ||
| `htt${char}ps://example.org:5601`, | ||
| `java${char}script:alert(1)`, | ||
| `htt${char}p://example.org:5601`, | ||
| `https:/${char}/example.com`, | ||
| `file${char}://example.com`, | ||
| `https://example${char}.com/path`, | ||
| ]) { |
There was a problem hiding this comment.
Same here. These would all return false, even without the special character. Should we have at least one test case that would otherwise return true, if not for the tab/newline?
I tried this with using '/app/kibana#/discover/New-Saved-Search' (from the true test case) and adding the special char in various places, but it still returned true. Am I misinterpreting the test?
There was a problem hiding this comment.
These would all return false, even without the special character.
Without the special character, they will behave as expected with both the current and previous code and return false, and we have existing tests for this behavior. The issue I'm trying to cover here is that with the previous code, the presence of the special character made this function mistakenly return true instead of false. Try reverting the changes in is_internal_url.ts but keep the tests.
Does that make sense?
Should we have at least one test case that would otherwise return true, if not for the tab/newline?
Yeah, I think it's a good idea. What about having a similar loop with a subset of the URLs tested here, but with a white space instead of \t\r\n that should cause the function to return true?
There was a problem hiding this comment.
Okay, I've made an attempt to make the intention a bit clearer in unit tests in 96772c3. @jeramysoucy let me know if it helps.
There was a problem hiding this comment.
Yes, this is much more clear to me now. Thanks, Oleg!
…bs/newlines, spaces, and other characters
💚 Build Succeeded
Metrics [docs]Page load bundle
History
To update your PR or re-run it, just comment with: |
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
azasypkin
added a commit
to azasypkin/kibana
that referenced
this pull request
May 17, 2024
…#183521) ## Summary The Node.js URL parser [has been deprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost) and we should start slowly switching to the [spec-compliant URL parser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in Kibana starting from the `next` query string parameter. __Flaky Test Runner:__ [x65 for every added functional test](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010) (cherry picked from commit b306f00) # Conflicts: # .github/CODEOWNERS # x-pack/plugins/security/common/is_internal_url.ts
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
azasypkin
added a commit
to azasypkin/kibana
that referenced
this pull request
May 17, 2024
…#183521) ## Summary The Node.js URL parser [has been deprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost) and we should start slowly switching to the [spec-compliant URL parser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in Kibana starting from the `next` query string parameter. __Flaky Test Runner:__ [x65 for every added functional test](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010) (cherry picked from commit b306f00) # Conflicts: # .github/CODEOWNERS # x-pack/plugins/security/common/is_internal_url.ts
azasypkin
added a commit
that referenced
this pull request
May 17, 2024
…183521) (#183726) # Backport This will backport the following commits from `main` to `8.14`: - [Use spec-compliant URL parser to parse `next` URL parameter. (#183521)](#183521) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Aleh Zasypkin","email":"aleh.zasypkin@elastic.co"},"sourceCommit":{"committedDate":"2024-05-17T11:39:52Z","message":"Use spec-compliant URL parser to parse `next` URL parameter. (#183521)\n\n## Summary\r\n\r\nThe Node.js URL parser [has been\r\ndeprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost)\r\nand we should start slowly switching to the [spec-compliant URL\r\nparser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in\r\nKibana starting from the `next` query string parameter.\r\n\r\n__Flaky Test Runner:__ [x65 for every added functional\r\ntest](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010)","sha":"b306f007fbcc723bffffd67b3867f6a563ffae2d","branchLabelMapping":{"^v8.15.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["chore","Team:Security","release_note:skip","backport:all-open","v8.15.0"],"number":183521,"url":"https://github.com/elastic/kibana/pull/183521","mergeCommit":{"message":"Use spec-compliant URL parser to parse `next` URL parameter. (#183521)\n\n## Summary\r\n\r\nThe Node.js URL parser [has been\r\ndeprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost)\r\nand we should start slowly switching to the [spec-compliant URL\r\nparser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in\r\nKibana starting from the `next` query string parameter.\r\n\r\n__Flaky Test Runner:__ [x65 for every added functional\r\ntest](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010)","sha":"b306f007fbcc723bffffd67b3867f6a563ffae2d"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.15.0","labelRegex":"^v8.15.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/183521","number":183521,"mergeCommit":{"message":"Use spec-compliant URL parser to parse `next` URL parameter. (#183521)\n\n## Summary\r\n\r\nThe Node.js URL parser [has been\r\ndeprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost)\r\nand we should start slowly switching to the [spec-compliant URL\r\nparser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in\r\nKibana starting from the `next` query string parameter.\r\n\r\n__Flaky Test Runner:__ [x65 for every added functional\r\ntest](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010)","sha":"b306f007fbcc723bffffd67b3867f6a563ffae2d"}}]}] BACKPORT-->
azasypkin
added a commit
that referenced
this pull request
May 17, 2024
…183521) (#183728) # Backport This will backport the following commits from `main` to `7.17`: - [Use spec-compliant URL parser to parse `next` URL parameter. (#183521)](#183521) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Aleh Zasypkin","email":"aleh.zasypkin@elastic.co"},"sourceCommit":{"committedDate":"2024-05-17T11:39:52Z","message":"Use spec-compliant URL parser to parse `next` URL parameter. (#183521)\n\n## Summary\r\n\r\nThe Node.js URL parser [has been\r\ndeprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost)\r\nand we should start slowly switching to the [spec-compliant URL\r\nparser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in\r\nKibana starting from the `next` query string parameter.\r\n\r\n__Flaky Test Runner:__ [x65 for every added functional\r\ntest](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010)","sha":"b306f007fbcc723bffffd67b3867f6a563ffae2d","branchLabelMapping":{"^v8.15.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["chore","Team:Security","release_note:skip","backport:all-open","v8.15.0"],"number":183521,"url":"https://github.com/elastic/kibana/pull/183521","mergeCommit":{"message":"Use spec-compliant URL parser to parse `next` URL parameter. (#183521)\n\n## Summary\r\n\r\nThe Node.js URL parser [has been\r\ndeprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost)\r\nand we should start slowly switching to the [spec-compliant URL\r\nparser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in\r\nKibana starting from the `next` query string parameter.\r\n\r\n__Flaky Test Runner:__ [x65 for every added functional\r\ntest](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010)","sha":"b306f007fbcc723bffffd67b3867f6a563ffae2d"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.15.0","labelRegex":"^v8.15.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/183521","number":183521,"mergeCommit":{"message":"Use spec-compliant URL parser to parse `next` URL parameter. (#183521)\n\n## Summary\r\n\r\nThe Node.js URL parser [has been\r\ndeprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost)\r\nand we should start slowly switching to the [spec-compliant URL\r\nparser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in\r\nKibana starting from the `next` query string parameter.\r\n\r\n__Flaky Test Runner:__ [x65 for every added functional\r\ntest](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010)","sha":"b306f007fbcc723bffffd67b3867f6a563ffae2d"}}]}] BACKPORT--> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
adelisle
pushed a commit
to Makila-AI/kibana
that referenced
this pull request
Aug 5, 2024
…lastic#183521) (elastic#183728) # Backport This will backport the following commits from `main` to `7.17`: - [Use spec-compliant URL parser to parse `next` URL parameter. (elastic#183521)](elastic#183521) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Aleh Zasypkin","email":"aleh.zasypkin@elastic.co"},"sourceCommit":{"committedDate":"2024-05-17T11:39:52Z","message":"Use spec-compliant URL parser to parse `next` URL parameter. (elastic#183521)\n\n## Summary\r\n\r\nThe Node.js URL parser [has been\r\ndeprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost)\r\nand we should start slowly switching to the [spec-compliant URL\r\nparser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in\r\nKibana starting from the `next` query string parameter.\r\n\r\n__Flaky Test Runner:__ [x65 for every added functional\r\ntest](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010)","sha":"b306f007fbcc723bffffd67b3867f6a563ffae2d","branchLabelMapping":{"^v8.15.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["chore","Team:Security","release_note:skip","backport:all-open","v8.15.0"],"number":183521,"url":"https://github.com/elastic/kibana/pull/183521","mergeCommit":{"message":"Use spec-compliant URL parser to parse `next` URL parameter. (elastic#183521)\n\n## Summary\r\n\r\nThe Node.js URL parser [has been\r\ndeprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost)\r\nand we should start slowly switching to the [spec-compliant URL\r\nparser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in\r\nKibana starting from the `next` query string parameter.\r\n\r\n__Flaky Test Runner:__ [x65 for every added functional\r\ntest](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010)","sha":"b306f007fbcc723bffffd67b3867f6a563ffae2d"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.15.0","labelRegex":"^v8.15.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/183521","number":183521,"mergeCommit":{"message":"Use spec-compliant URL parser to parse `next` URL parameter. (elastic#183521)\n\n## Summary\r\n\r\nThe Node.js URL parser [has been\r\ndeprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost)\r\nand we should start slowly switching to the [spec-compliant URL\r\nparser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in\r\nKibana starting from the `next` query string parameter.\r\n\r\n__Flaky Test Runner:__ [x65 for every added functional\r\ntest](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010)","sha":"b306f007fbcc723bffffd67b3867f6a563ffae2d"}}]}] BACKPORT--> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
The Node.js URL parser has been deprecated and we should start slowly switching to the spec-compliant URL parser to parse URLs in Kibana starting from the
nextquery string parameter.Flaky Test Runner: x65 for every added functional test