sanitize ULRs before parsing query params

finos · Oct 26, 2022 · 799a6fe · 799a6fe
1 parent 6689b21
commit 799a6fe
Show file tree

Hide file tree

Showing 8 changed files with 36 additions and 6 deletions.
diff --git a/.changeset/mighty-dodos-explain.md b/.changeset/mighty-dodos-explain.md
@@ -0,0 +1,5 @@
+---
+'@finos/legend-shared': minor
+---
+
+Add `sanitizeURL` utility.
diff --git a/.changeset/smart-rules-appear.md b/.changeset/smart-rules-appear.md
@@ -0,0 +1,5 @@
+---
+'@finos/legend-application-query': patch
+'@finos/legend-extension-dsl-data-space': patch
+'@finos/legend-shared': patch
+---
diff --git a/packages/legend-application-query/src/components/QueryEditor.tsx b/packages/legend-application-query/src/components/QueryEditor.tsx
@@ -39,7 +39,11 @@ import {
   CheckIcon,
   MenuContentItemLabel,
 } from '@finos/legend-art';
-import { debounce, getQueryParameters } from '@finos/legend-shared';
+import {
+  debounce,
+  getQueryParameters,
+  sanitizeURL,
+} from '@finos/legend-shared';
 import { observer } from 'mobx-react-lite';
 import { Fragment, useEffect, useMemo, useRef, useState } from 'react';
 import {
@@ -645,7 +649,7 @@ export const ServiceQueryCreator = observer(() => {
   const gav = params[LEGEND_QUERY_PATH_PARAM_TOKEN.GAV];
   const servicePath = params[LEGEND_QUERY_PATH_PARAM_TOKEN.SERVICE_PATH];
   const executionKey = getQueryParameters<ServiceQueryCreatorQueryParams>(
-    applicationStore.navigator.getCurrentAddress(),
+    sanitizeURL(applicationStore.navigator.getCurrentAddress()),
     true,
   )[LEGEND_QUERY_QUERY_PARAM_TOKEN.SERVICE_EXECUTION_KEY];
 

diff --git a/packages/legend-application-query/src/components/QuerySetup.tsx b/packages/legend-application-query/src/components/QuerySetup.tsx
@@ -31,7 +31,11 @@ import {
   CheckIcon,
   MenuContentDivider,
 } from '@finos/legend-art';
-import { getQueryParameters, guaranteeNonNullable } from '@finos/legend-shared';
+import {
+  getQueryParameters,
+  guaranteeNonNullable,
+  sanitizeURL,
+} from '@finos/legend-shared';
 import { observer, useLocalObservable } from 'mobx-react-lite';
 import React, { createContext, useContext, useEffect } from 'react';
 import {
@@ -251,7 +255,7 @@ export const QuerySetupLandingPage = withQuerySetupLandingPageStore(
     const setupStore = useQuerySetupLandingPageStore();
     const applicationStore = useLegendQueryApplicationStore();
     const params = getQueryParameters<QuerySetupQueryParams>(
-      applicationStore.navigator.getCurrentAddress(),
+      sanitizeURL(applicationStore.navigator.getCurrentAddress()),
       true,
     );
     const showAdvancedActions =

diff --git a/packages/legend-extension-dsl-data-space/src/components/query/DataSpaceQueryCreator.tsx b/packages/legend-extension-dsl-data-space/src/components/query/DataSpaceQueryCreator.tsx
@@ -15,7 +15,7 @@
  */
 
 import { observer, useLocalObservable } from 'mobx-react-lite';
-import { getQueryParameters } from '@finos/legend-shared';
+import { getQueryParameters, sanitizeURL } from '@finos/legend-shared';
 import { useApplicationStore, useParams } from '@finos/legend-application';
 import { useDepotServerClient } from '@finos/legend-server-depot';
 import {
@@ -82,7 +82,7 @@ export const DataSpaceQueryCreator = observer(() => {
     params[DATA_SPACE_QUERY_CREATOR_PATH_PARAM_TOKEN.EXECUTION_CONTEXT];
   const runtimePath = params[LEGEND_QUERY_PATH_PARAM_TOKEN.RUNTIME_PATH];
   const classPath = getQueryParameters<DataSpaceQueryEditorQueryParams>(
-    applicationStore.navigator.getCurrentAddress(),
+    sanitizeURL(applicationStore.navigator.getCurrentAddress()),
     true,
   )[DATA_SPACE_QUERY_CREATOR_QUERY_PARAM_TOKEN.CLASS_PATH];
 

diff --git a/packages/legend-shared/package.json b/packages/legend-shared/package.json
@@ -39,6 +39,7 @@
     "test:watch": "jest --watch"
   },
   "dependencies": {
+    "@braintree/sanitize-url": "6.0.1",
     "@types/lodash-es": "4.17.6",
     "@types/object-hash": "2.2.1",
     "@types/pako": "2.0.0",

diff --git a/packages/legend-shared/src/network/NetworkUtils.ts b/packages/legend-shared/src/network/NetworkUtils.ts
@@ -29,6 +29,7 @@ import {
   stringify as _stringifyQueryParams,
 } from 'query-string';
 import { returnUndefOnError } from '../error/ErrorUtils.js';
+import { sanitizeUrl } from '@braintree/sanitize-url';
 
 /**
  * Unlike the download call (GET requests) which is gziped, the upload call send uncompressed data which is in megabytes realms
@@ -554,3 +555,5 @@ export const buildUrl = (parts: string[]): string =>
   parts
     .map((part) => part.replaceAll(/^\/+/g, '').replaceAll(/\/+$/g, ''))
     .join(URL_SEPARATOR);
+
+export const sanitizeURL = (val: string): string => sanitizeUrl(val);
diff --git a/yarn.lock b/yarn.lock
@@ -1547,6 +1547,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"@braintree/sanitize-url@npm:6.0.1":
+  version: 6.0.1
+  resolution: "@braintree/sanitize-url@npm:6.0.1"
+  checksum: 6f9221299aac0c841a17ecb1ebc60eb43c794f05b5136ca9b87116c8472b7e96f21e56ba2da8369f964112c6055fab791a37015bbea4bd5a189cc38206d214ad
+  languageName: node
+  linkType: hard
+
 "@changesets/apply-release-plan@npm:^6.1.1":
   version: 6.1.1
   resolution: "@changesets/apply-release-plan@npm:6.1.1"
@@ -2987,6 +2994,7 @@ __metadata:
   version: 0.0.0-use.local
   resolution: "@finos/legend-shared@workspace:packages/legend-shared"
   dependencies:
+    "@braintree/sanitize-url": 6.0.1
     "@finos/legend-dev-utils": "workspace:*"
     "@jest/globals": 29.2.2
     "@types/lodash-es": 4.17.6