Use spec-compliant URL parser to parse next URL parameter.
#183521
Conversation
azasypkin
added
chore
Team:Security
|
/ci |
azasypkin
force-pushed
the
issue-xxx-parse-next
branch
from
8234e28
to
2111045
Compare
|
/ci |
azasypkin
force-pushed
the
issue-xxx-parse-next
branch
from
2111045
to
d6ca29f
Compare
azasypkin
force-pushed
the
issue-xxx-parse-next
branch
from
d6ca29f
to
8fea2be
Compare
|
/ci |
| // URL (//), or a scheme-relative URL with an empty host (///). Browsers may process such URLs unexpectedly due to | ||
| // backward compatibility reasons (e.g., a browser may treat `///abc.com` as just `abc.com`). For more details, refer | ||
| // to https://url.spec.whatwg.org/#concept-basic-url-parser and https://url.spec.whatwg.org/#url-representation. | ||
| let normalizedURL: URL; |
There was a problem hiding this comment.
note: hopefully, we can get rid of this trickery when/if this is accepted and implemented: whatwg/url#531
Flaky Test Runner Stats🎉 All tests passed! - kibana-flaky-test-suite-runner#6010[✅] x-pack/test/security_functional/login_selector.config.ts: 65/65 tests passed. |
|
Pinging @elastic/kibana-security (Team:Security) |
| // to https://url.spec.whatwg.org/#concept-basic-url-parser and https://url.spec.whatwg.org/#url-representation. | ||
| let normalizedURL: URL; | ||
| try { | ||
| for (const baseURL of ['http://example.org:5601', 'https://example.com']) { |
There was a problem hiding this comment.
QQ: why do we need the one with the port there? isn't https://example.com not enough for normalization?
There was a problem hiding this comment.
Based on what we know today, it's redundant, agreed. The idea was to have two base URLs that differ in all three parts of the origin (protocol, host, and port) just to ensure there is no way to exploit any backward compatibility browser quirk that we're not aware of yet to make the browser treat a relative URL as an absolute one.
| it('should return `false` if absolute URL contains tabs or new lines', () => { | ||
| for (const char of ['\t', '\n', '\r', '\t\n\r']) { | ||
| for (const url of [ | ||
| `/${char}/${basePath}app/kibana`, | ||
| `/${char}//${basePath}app/kibana`, | ||
| `//${char}/${basePath}app/kibana`, | ||
| `htt${char}ps://example.com${basePath}`, | ||
| `htt${char}p://example.org:5601${basePath}`, | ||
| `file${char}://example.com${basePath}`, | ||
| `htt${char}p://example.org:5601${char}${basePath}`, | ||
| `https:/${char}/example.com${char}${basePath}`, | ||
| ]) { |
There was a problem hiding this comment.
Wouldn't these all return false anyway, even without the special character? Should we have at least one test case that would otherwise return true, if not for the tab/newline?
There was a problem hiding this comment.
I've explained the idea in https://github.com/elastic/kibana/pull/183521/files#r1603774927, but in this specific case (with the base path) you're right - these all seem to return false even with the previous code, which is not what we want. Let me take a look.
| it('should return `false` if absolute URL contains tabs or new lines', () => { | ||
| for (const char of ['\t', '\n', '\r', '\t\n\r']) { | ||
| for (const url of [ | ||
| `/${char}/app/kibana`, | ||
| `/${char}//app/kibana`, | ||
| `//${char}/app/kibana`, | ||
| `/${char}/example.com`, | ||
| `/${char}//example.com`, | ||
| `//${char}/example.com`, | ||
| `htt${char}ps://example.com`, | ||
| `/${char}/example.org`, | ||
| `/${char}//example.org`, | ||
| `//${char}/example.org`, | ||
| `htt${char}ps://example.org`, | ||
| `/${char}/example.org:5601`, | ||
| `/${char}//example.org:5601`, | ||
| `//${char}/example.org:5601`, | ||
| `htt${char}ps://example.org:5601`, | ||
| `java${char}script:alert(1)`, | ||
| `htt${char}p://example.org:5601`, | ||
| `https:/${char}/example.com`, | ||
| `file${char}://example.com`, | ||
| `https://example${char}.com/path`, | ||
| ]) { |
There was a problem hiding this comment.
Same here. These would all return false, even without the special character. Should we have at least one test case that would otherwise return true, if not for the tab/newline?
I tried this with using '/app/kibana#/discover/New-Saved-Search' (from the true test case) and adding the special char in various places, but it still returned true. Am I misinterpreting the test?
There was a problem hiding this comment.
These would all return false, even without the special character.
Without the special character, they will behave as expected with both the current and previous code and return false, and we have existing tests for this behavior. The issue I'm trying to cover here is that with the previous code, the presence of the special character made this function mistakenly return true instead of false. Try reverting the changes in is_internal_url.ts but keep the tests.
Does that make sense?
Should we have at least one test case that would otherwise return true, if not for the tab/newline?
Yeah, I think it's a good idea. What about having a similar loop with a subset of the URLs tested here, but with a white space instead of \t\r\n that should cause the function to return true?
There was a problem hiding this comment.
Okay, I've made an attempt to make the intention a bit clearer in unit tests in 96772c3. @jeramysoucy let me know if it helps.
There was a problem hiding this comment.
Yes, this is much more clear to me now. Thanks, Oleg!
…bs/newlines, spaces, and other characters
💚 Build Succeeded
Metrics [docs]Page load bundle
History
To update your PR or re-run it, just comment with: |
💔 All backports failed
Manual backportTo create the backport manually run: Questions ?Please refer to the Backport tool documentation |
…#183521) ## Summary The Node.js URL parser [has been deprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost) and we should start slowly switching to the [spec-compliant URL parser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in Kibana starting from the `next` query string parameter. __Flaky Test Runner:__ [x65 for every added functional test](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010) (cherry picked from commit b306f00) # Conflicts: # .github/CODEOWNERS # x-pack/plugins/security/common/is_internal_url.ts
💚 All backports created successfully
Note: Successful backport PRs will be merged automatically after passing CI. Questions ?Please refer to the Backport tool documentation |
…#183521) ## Summary The Node.js URL parser [has been deprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost) and we should start slowly switching to the [spec-compliant URL parser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in Kibana starting from the `next` query string parameter. __Flaky Test Runner:__ [x65 for every added functional test](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010) (cherry picked from commit b306f00) # Conflicts: # .github/CODEOWNERS # x-pack/plugins/security/common/is_internal_url.ts
…183521) (#183726) # Backport This will backport the following commits from `main` to `8.14`: - [Use spec-compliant URL parser to parse `next` URL parameter. (#183521)](#183521) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Aleh Zasypkin","email":"aleh.zasypkin@elastic.co"},"sourceCommit":{"committedDate":"2024-05-17T11:39:52Z","message":"Use spec-compliant URL parser to parse `next` URL parameter. (#183521)\n\n## Summary\r\n\r\nThe Node.js URL parser [has been\r\ndeprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost)\r\nand we should start slowly switching to the [spec-compliant URL\r\nparser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in\r\nKibana starting from the `next` query string parameter.\r\n\r\n__Flaky Test Runner:__ [x65 for every added functional\r\ntest](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010)","sha":"b306f007fbcc723bffffd67b3867f6a563ffae2d","branchLabelMapping":{"^v8.15.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["chore","Team:Security","release_note:skip","backport:all-open","v8.15.0"],"number":183521,"url":"https://github.com/elastic/kibana/pull/183521","mergeCommit":{"message":"Use spec-compliant URL parser to parse `next` URL parameter. (#183521)\n\n## Summary\r\n\r\nThe Node.js URL parser [has been\r\ndeprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost)\r\nand we should start slowly switching to the [spec-compliant URL\r\nparser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in\r\nKibana starting from the `next` query string parameter.\r\n\r\n__Flaky Test Runner:__ [x65 for every added functional\r\ntest](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010)","sha":"b306f007fbcc723bffffd67b3867f6a563ffae2d"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.15.0","labelRegex":"^v8.15.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/183521","number":183521,"mergeCommit":{"message":"Use spec-compliant URL parser to parse `next` URL parameter. (#183521)\n\n## Summary\r\n\r\nThe Node.js URL parser [has been\r\ndeprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost)\r\nand we should start slowly switching to the [spec-compliant URL\r\nparser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in\r\nKibana starting from the `next` query string parameter.\r\n\r\n__Flaky Test Runner:__ [x65 for every added functional\r\ntest](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010)","sha":"b306f007fbcc723bffffd67b3867f6a563ffae2d"}}]}] BACKPORT-->
…183521) (#183728) # Backport This will backport the following commits from `main` to `7.17`: - [Use spec-compliant URL parser to parse `next` URL parameter. (#183521)](#183521) <!--- Backport version: 8.9.8 --> ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) <!--BACKPORT [{"author":{"name":"Aleh Zasypkin","email":"aleh.zasypkin@elastic.co"},"sourceCommit":{"committedDate":"2024-05-17T11:39:52Z","message":"Use spec-compliant URL parser to parse `next` URL parameter. (#183521)\n\n## Summary\r\n\r\nThe Node.js URL parser [has been\r\ndeprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost)\r\nand we should start slowly switching to the [spec-compliant URL\r\nparser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in\r\nKibana starting from the `next` query string parameter.\r\n\r\n__Flaky Test Runner:__ [x65 for every added functional\r\ntest](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010)","sha":"b306f007fbcc723bffffd67b3867f6a563ffae2d","branchLabelMapping":{"^v8.15.0$":"main","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["chore","Team:Security","release_note:skip","backport:all-open","v8.15.0"],"number":183521,"url":"https://github.com/elastic/kibana/pull/183521","mergeCommit":{"message":"Use spec-compliant URL parser to parse `next` URL parameter. (#183521)\n\n## Summary\r\n\r\nThe Node.js URL parser [has been\r\ndeprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost)\r\nand we should start slowly switching to the [spec-compliant URL\r\nparser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in\r\nKibana starting from the `next` query string parameter.\r\n\r\n__Flaky Test Runner:__ [x65 for every added functional\r\ntest](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010)","sha":"b306f007fbcc723bffffd67b3867f6a563ffae2d"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v8.15.0","labelRegex":"^v8.15.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/183521","number":183521,"mergeCommit":{"message":"Use spec-compliant URL parser to parse `next` URL parameter. (#183521)\n\n## Summary\r\n\r\nThe Node.js URL parser [has been\r\ndeprecated](https://nodejs.org/api/url.html#urlparseurlstring-parsequerystring-slashesdenotehost)\r\nand we should start slowly switching to the [spec-compliant URL\r\nparser](https://url.spec.whatwg.org/#url-parsing) to parse URLs in\r\nKibana starting from the `next` query string parameter.\r\n\r\n__Flaky Test Runner:__ [x65 for every added functional\r\ntest](https://buildkite.com/elastic/kibana-flaky-test-suite-runner/builds/6010)","sha":"b306f007fbcc723bffffd67b3867f6a563ffae2d"}}]}] BACKPORT--> Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Summary
The Node.js URL parser has been deprecated and we should start slowly switching to the spec-compliant URL parser to parse URLs in Kibana starting from the
nextquery string parameter.Flaky Test Runner: x65 for every added functional test