[Feature]: Additional configuration to prevent the creation of a new tab and use of file upload controls #1211
Comments
|
Both issues are a security issue for us and we would like to prevent this by adding two boolean properties to the configuration. Sorry for any uncertainties due to my description. Hopefully everything is clear now, if not, please reach out. |
|
Thanks. I would be very curious to see a photo of your devices with Jaeger running on them :-) I take it these are some portable devices? Regarding the feature - sounds reasonable. I'll transfer the issue to UI repo, as this will need to be implemented as a couple of new UI config options. |
|
Thanks a lot! I'm currently working on the implementation of the feature. |
|
@yurishkuro To push my changes do I need special rights from you to do so? When I try to push my changes git says that permission have been denied. |
|
You need to fork the repo, push changes to a branch in the fork, and create a pull request. When you push to a fork, git will print a URL to create a PR. |
* This PR splits one single feature from jaegertracing#1229 by @Binrix, which is too large * Adds a new configuration option `disableFileUploadControl` * Addresses part of jaegertracing#1211 --------- Signed-off-by: Yuri Shkuro <github@ysh.us> Signed-off-by: RAMU MANAM <manam.ramu@uber.com>
- This PR splits one single feature from #1229 - Adds a new configuration option `disableJsonView` - Addresses part of #1211 --------- Signed-off-by: Benjamin Klein <benjamin.klein.bk1@roche.com> Signed-off-by: Yuri Shkuro <github@ysh.us> Co-authored-by: Benjamin Klein <benjamin.klein.bk1@roche.com> Co-authored-by: Yuri Shkuro <yurishkuro@users.noreply.github.com> Co-authored-by: Yuri Shkuro <github@ysh.us>
This pull request resolves the issue #1211 This property is later used to prevent the popup of a new page. When set to true, it will alter all _blank targets for links to empty. A utils function is provided. --------- Signed-off-by: Benjamin Klein <benjamin.klein.bk1@roche.com> Signed-off-by: Benjamin Klein <45211351+Binrix@users.noreply.github.com> Co-authored-by: Benjamin Klein <benjamin.klein.bk1@roche.com> Co-authored-by: Yuri Shkuro <yurishkuro@users.noreply.github.com>
Requirement
As a developer I would like to have the possibility to set an option for the creation of a new page and another one to disable the use of the file upload controls in the configuration so that an user will not be able to access the file system via the development tools or the file upload controls.
Problem
The issue is that in a few cases a link will lead to a new tab. We use Jaeger-UI with electron on our instruments and a new tab (e.g. target of link is _blank) leads to a popup of a new window. Now the user is able to access the file system with the development tools. This problem leads to a security issue because the user can access data that shouldn't be accessible for everyone. There are also file upload controls in the Jaeger UI, which can be used to access the file system without opening new windows or developer tools and hence these controls would need to be removed.
Proposal
The proposal is to add two new boolean properties to the configuration file. These properties will later be used to evaluate if a link will lead to a new tab (for us to a new popup window) or not. The same for the file upload controls. To be more precise: When a case occurs that a target is _blank or a standalone link will be displayed, the new option in the configuration will prevent those two cases.
This solution was already discussed in the slack channel with Javier Jiménez Roda.
Open questions
No response
The text was updated successfully, but these errors were encountered: