fix(security): add url validation for help chat (#9956) (#10417)

* fix: add url validation for help chat Signed-off-by: saumeya <saumeyakatyal@gmail.com> * lint check Signed-off-by: saumeya <saumeyakatyal@gmail.com> * lint fix Signed-off-by: saumeya <saumeyakatyal@gmail.com> * review comments Signed-off-by: saumeya <saumeyakatyal@gmail.com> --------- Signed-off-by: saumeya <saumeyakatyal@gmail.com> Co-authored-by: Michael Crenshaw <350466+crenshaw-dev@users.noreply.github.com>
argoproj · Feb 17, 2023 · 03d1c05 · 03d1c05
1 parent 3126832
commit 03d1c05
Showing 1 changed file with 19 additions and 3 deletions.
diff --git a/ui/src/app/ui-banner/ui-banner.tsx b/ui/src/app/ui-banner/ui-banner.tsx
@@ -1,6 +1,8 @@
+import {Tooltip} from 'argo-ui';
 import * as React from 'react';
 import {combineLatest} from 'rxjs';
 import {map} from 'rxjs/operators';
+import {ExternalLink} from '../applications/components/application-urls';
 
 import {DataLoader} from '../shared/components';
 import {services, ViewPreferences} from '../shared/services';
@@ -67,6 +69,12 @@ export const Banner = (props: React.Props<any>) => {
                         chatBottomPosition = 85;
                     }
                 }
+                try {
+                    const externalLink = new ExternalLink(chatUrl);
+                    chatUrl = externalLink.ref;
+                } catch (InvalidExternalLinkError) {
+                    chatUrl = 'invalid-url';
+                }
                 return (
                     <React.Fragment>
                         <div className={combinedBannerClassName} style={{visibility: show ? 'visible' : 'hidden', height: heightOfBanner, left: leftOffset}}>
@@ -97,9 +105,17 @@ export const Banner = (props: React.Props<any>) => {
                         {show ? <div className={wrapperClassname}>{props.children}</div> : props.children}
                         {chatUrl && (
                             <div style={{position: 'fixed', right: 10, bottom: chatBottomPosition}}>
-                                <a href={chatUrl} className='argo-button argo-button--special'>
-                                    <i className='fas fa-comment-alt' /> {chatText}
-                                </a>
+                                {chatUrl === 'invalid-url' ? (
+                                    <Tooltip content='Invalid URL provided'>
+                                        <a className='argo-button disabled argo-button--special'>
+                                            <i className='fas fa-comment-alt' /> {chatText}
+                                        </a>
+                                    </Tooltip>
+                                ) : (
+                                    <a href={chatUrl} className='argo-button argo-button--special'>
+                                        <i className='fas fa-comment-alt' /> {chatText}
+                                    </a>
+                                )}
                             </div>
                         )}
                     </React.Fragment>