Implement client-side version checking #79
Conversation
| return "Conduit is up to date"; | ||
| } else { | ||
| return (<div> | ||
| A new version ({this.state.latest}) is available<br /> |
There was a problem hiding this comment.
I don't know anything about react. What ensures that this is safe w.r.t. xss? I.e. let's say this.state.latest is "<script>alert("hi");</script>", does this syntax do the escaping to make that safe?
There was a problem hiding this comment.
Good question!
I modified my test response to be:
{
"version": "<script>alert('hi');</script>"
}...and got:
Is that sufficient? If there's a more malicious way to craft that json, I can try it pretty quickly.
There was a problem hiding this comment.
And you're correct @briansmith -- the {...} syntax has built in escaping, documented here: https://reactjs.org/docs/jsx-in-depth.html#string-literals-1
web/app/css/version.css
Outdated
| text-decoration: none; | ||
| } | ||
| & a.button:active { | ||
| background-color: #2F80ED; |
There was a problem hiding this comment.
would advise you to use the color var from styles.css since we're importing that file anyway.... also looking at that file, we have that color defined twice :/ we should probably consolidate. (though if we want to have a separate file for styles directly copied, we can)
web/app/js/components/Version.jsx
Outdated
| } | ||
|
|
||
| loadFromServer() { | ||
| if (this.state.done) { |
There was a problem hiding this comment.
variable naming nit: we've been using pendingRequests for this elsewhere, it'd be nice to use the same name
web/app/test/VersionTest.jsx
Outdated
| it('renders update message when versions do match', () => { | ||
| loadFromServer = setResponse(null, {responseText: "{\"version\": \"v2.3.4\"}"}); | ||
|
|
||
| // must wrap Version in a BrowserRouter because this test case renders a Link, |
There was a problem hiding this comment.
@franziskagoltz added a routerWrap function in testHelpers, maybe we can use that?
There was a problem hiding this comment.
i could not find a way to make routerWrap work with properties, so leaving this as is.
web/app/css/version.css
Outdated
|
|
||
| /* from https://conduit.io/ */ | ||
|
|
||
| & a.button { |
There was a problem hiding this comment.
Since we probably want to use the same styles everywhere if we add future buttons, I'd put the a.button styles in styles.css (or create a buttons.css, if we want to just have an isolated "coped this from conduit.io styles" file)
web/app/test/VersionTest.jsx
Outdated
| let loadFromServer; | ||
|
|
||
| function setResponse(err, resp) { | ||
| return sinon.stub(Version.prototype, 'loadFromServer').callsFake(function fakeFn() { |
There was a problem hiding this comment.
yup... though removing this because fetch does what we need!
siggy
force-pushed
the
siggy/version-check
branch
from
d8ea95c
to
1d0e6ae
Compare
|
My main interest in this is the security-critical stuff, which seems to have been addressed so +1 from me. However, I wonder where the best place to format the output really is. It seems like with the proposed change we have less flexibility than if we were to do the formatting on our own host. For example, how would we indicate in the web UI the update's urgency, e.g. a critical security update vs. a "whenever you get around to it" update? It seems like it would be good to let the server give us some free-form text to describe the urgency, at least. |
|
@briansmith I agree some kind of richer free-form messaging here is a good idea. I'd like to defer it for a subsequent PR. As our version check endpoint is json (kevin's bright recommendation), we can iterate on it and add fields in a backwards compatible way. I've filed #90 to track this. |
siggy
force-pushed
the
siggy/version-check
branch
2 times, most recently
from
3d77b9b
to
b3b9478
Compare
|
versioncheck.conduit.io/update is public domain, could you please consider enterprise-level environment, it can't directly access internet directly. |
|
@xiaods fair point. i think for this initial PR we'll hit the public URL. i could imagine future versions supporting some kind of proxy setting to enable outside internet access (or something else entirely). if you have more thoughts, please summarize them in a Github issue so we can consider it for our roadmap. |
web/app/js/components/Version.jsx
Outdated
| super(props); | ||
| this.loadFromServer = this.loadFromServer.bind(this); | ||
| this.handleApiError = this.handleApiError.bind(this); | ||
| this.state = {err: null, latest: null, loaded: false, pendingRequests: false,}; |
web/app/css/version.css
Outdated
| .version { | ||
| padding: 0 0 0 9px; | ||
| font-size: 13px; | ||
| font-weight: 700; |
web/app/js/components/Version.jsx
Outdated
| this.setState({ | ||
| loaded: true, | ||
| pendingRequests: false, | ||
| err: e |
There was a problem hiding this comment.
nit: in other places we do this we use "error" and I'd prefer us to be consistent
Previously Conduit would render an iframe, received from versioncheck.conduit.io. Modify the client to retrieve the latest released version, via CORS. Signed-off-by: Andrew Seigner <andrew@sig.gy>
siggy
force-pushed
the
siggy/version-check
branch
from
a5a7395
to
5493601
Compare
In preparation for further simplifications to HTTP telemetry, this change consolidates all HTTP-specific logic under the `telemetry::http` module. Specifically, the following modules have been moved: - `telemetry::event`; - `telemetry::metrics::labels`; - `telemetry::metrics::record`; - `telemetry::sensors`; and - `telemetry::sensors::http`. This change takes pains to avoid changing any implementation details, so some types and methods have been made public temporarily while the interface boundaries are not well defined. This will be fixed in a subsequent change.
Previously Conduit would render an iframe, received from
versioncheck.conduit.io.
Modify the client to retrieve the latest released version, via CORS.